Malicious PDF — malware analysis report

Static analysis result for SHA-256 09fc7cb527addcfb…

MALICIOUS

PDF

69.5 KB Created: 2021-02-26 07:48:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: dc65f232428cf8003e948557b0958ec1 SHA-1: 319c4c01a960e898710a16975089fa56234c120a SHA-256: 09fc7cb527addcfb7face78ec2016853379c70f798c39ce3e053ba6d9d5cf6bf
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a phishing domain. The document body, though heavily obfuscated, appears to reference a rewards program, suggesting a phishing lure. ClamAV and ML classifiers also flagged this file as malicious, indicating a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9662

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=verizon+small+biz+rewards+prepaid+mastercard PDF link annotation
    • http://makedctl.site/87044984727k1bke.pdfIn PDF document text
    • http://supernefritroller.xyz/916003310728wvdh.pdfIn PDF document text
    • http://oneitstore.info/jorizitotojitojefuxakbg8hm.pdfIn PDF document text
    • http://greenbike.shop/miocardiopatia_dilatada3z4l1.pdfIn PDF document text
    • http://help-mediasupport.com/ripapumafafofiwue5gb9.pdfIn PDF document text
    • http://idealicaitaly.site/giloritulozogivuwaxavorosae57.pdfIn PDF document text
    • http://vquest.website/divina_commedia_canto_3_inferno_riassuntoitr2i.pdfIn PDF document text
    • http://vwwv-avito.online/sense_and_sensibility_quick_summaryzf1tp.pdfIn PDF document text
    • http://taygerr.com/operating_system_not_found_acer_aspire_v5_571ldq42.pdfIn PDF document text
    • http://zespodsvetkoy.site/33580771733ged0b.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/zijivevip/sivapuranam_in_tamil_with_lyrics.pdfIn PDF document text
    • https://s3.amazonaws.com/radubozufiwo/bsc_nursing_form_date_2019_in_karnataka.pdfIn PDF document text
    • https://s3.amazonaws.com/legobegutulo/gutobawufufuv.pdfIn PDF document text
    • https://s3.amazonaws.com/likadojivivofu/vimixakiwiwet.pdfIn PDF document text
    • https://s3.amazonaws.com/pezofut/karotenubupebamuvozakakeb.pdfIn PDF document text
    • https://s3.amazonaws.com/zalomi/79976880924.pdfIn PDF document text
    • https://s3.amazonaws.com/nevowimo/86733563981.pdfIn PDF document text
    • https://s3.amazonaws.com/wazorixekunafob/wiwaxofusunojupoxasigife.pdfIn PDF document text
    • https://s3.amazonaws.com/webipejonavuv/javascript_blob_progress.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010015.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10015 5464 bytes
SHA-256: 3a4dd00b408a15c9f38b4054a85e71b0deeff393848a9c72ff5e87746729b8eb

Open this report in the interactive analyzer, or submit your own file for analysis.