Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d15562228e80c7e…

MALICIOUS

PDF

68.6 KB Created: 2020-12-28 00:10:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 336674bbcbc828db3723b62e5b20c03c SHA-1: 759245a3dc400f474b2d2c1b0aec3da5e386a091 SHA-256: 0d15562228e80c7ee2f33329932ec1d0de4caa5e249b3436a5b5061b78392e14
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, suggests a lure related to a 'Logo quiz'. No scripts were extracted, but the presence of an external URI strongly suggests a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8239

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/strik?utm_term=logo+quiz+uk+brands+pictures
    • https://cdn-cms.f-static.net/uploads/4403531/normal_5fc1e0dc8eb69.pdf
    • https://cdn-cms.f-static.net/uploads/4367005/normal_5f92401ceba9f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c1785b21-13ee-4ae7-bebc-6855cab331f6/35447696246.pdf
    • https://s3.amazonaws.com/tozaduliwubega/25173751857.pdf
    • https://s3.amazonaws.com/werowibovezoje/xolojuworinobezif.pdf
    • https://uploads.strikinglycdn.com/files/a3b375f1-9e49-43fa-b9c6-36622b7d715b/mofowidu.pdf
    • https://s3.amazonaws.com/dakebesuvum/gupili.pdf
    • https://uploads.strikinglycdn.com/files/2512eff8-04b1-426d-a66d-86dca8c44c11/legend_of_zelda_breath_of_the_wild_p.pdf
    • https://s3.amazonaws.com/mafavuzenoliki/town_of_coupeville_planning.pdf
    • https://s3.amazonaws.com/wajufifenoxuj/72823793508.pdf
    • https://uploads.strikinglycdn.com/files/a861cfef-2120-4eb7-9c22-c1bb5bc65faa/lofukibajodek.pdf
    • https://uploads.strikinglycdn.com/files/52f148b8-1770-4d40-bc7a-3f329abe089d/wogaf.pdf
    • https://uploads.strikinglycdn.com/files/6361535e-6bc8-4820-8045-a07243174b6a/rat_queens_vol_1.pdf
    • https://uploads.strikinglycdn.com/files/95041640-2bbc-464c-9847-499490bc4fb7/16419246570.pdf
    • https://s3.amazonaws.com/tometubufimopim/8551661593.pdf
    • https://s3.amazonaws.com/zabejuvijolu/kingdom_come_deliverance_trophy_guide_psnprofiles.pdf
    • https://uploads.strikinglycdn.com/files/52de7e7d-e90a-4e73-9e3d-bf83024473bc/tetab.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea60.bin
b5834f9884e36928b526cde80fd2b7d8136e2528451d33fa104d0e1777c6c095		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA60 5412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.