Malicious PDF — malware analysis report

Static analysis result for SHA-256 119e05846a98a695…

MALICIOUS

PDF

62.5 KB Created: 2021-01-25 04:33:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ac03c495a5b1efa38ad1e1bfff4f4cb6 SHA-1: a15650e277caddd3aec5082d316f028bffd3e1b8 SHA-256: 119e05846a98a6950cfd6ccc23286b5935d090012c2d70035baf8e332738410d
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded URI pointing to a suspicious domain, and ClamAV detected it as a phishing trojan. The document body, though heavily obfuscated, suggests a lure related to 'physics with vernier lab answers', indicating a phishing attempt to trick users into visiting the malicious URL. No scripts were extracted, but the presence of external URIs and the malware detection strongly suggest a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7054

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/123?utm_term=physics+with+vernier+lab+answers
    • http://takovod.66ghz.com/dead_silence_full_movie_english_free.pdf
    • https://cdn-cms.f-static.net/uploads/4497071/normal_5fd1316722998.pdf
    • https://cdn.sqhk.co/sadirorig/Ojbggjz/teachers_union_just_pledged_to_defund_police.pdf
    • https://static.s123-cdn-static.com/uploads/4494435/normal_5fc676cb102fe.pdf
    • https://static.s123-cdn-static.com/uploads/4506131/normal_5fe5aee3f2bad.pdf
    • https://cdn.sqhk.co/golomamone/hhjjhdJ/gold_fm_radio_app.pdf
    • https://cdn-cms.f-static.net/uploads/4377908/normal_5fdc8068c9b7b.pdf
    • http://mimasajikataza.iblogger.org/mugedugurepojofelezawozu.pdf
    • https://static.s123-cdn-static.com/uploads/4369333/normal_5ff31233a3ab1.pdf
    • https://cdn.sqhk.co/risubibasero/GVzkfig/spin_the_bottle_challenge_baseball.pdf
    • https://static.s123-cdn-static.com/uploads/4476946/normal_5ff6295be300d.pdf
    • https://static.s123-cdn-static.com/uploads/4388157/normal_5fe0b7430da7d.pdf
    • http://gedamodeges.epizy.com/84693666832.pdf
    • http://paritoxo.rf.gd/mikenitejijusidib.pdf
    • http://sezusol.epizy.com/33945124876.pdf
    • http://buzidasore.rf.gd/badavomewi.pdf
    • https://s3.amazonaws.com/xilasisefi/berlin_liniennetz_route_map.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.