Malicious PDF — malware analysis report

Static analysis result for SHA-256 1bb3874626db6799…

MALICIOUS

PDF

57.2 KB Created: 2021-03-20 22:09:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c9049af50a7a7e29dfb39313354b7abf SHA-1: 20166d746adc6c36fad39290a57d79179cbcdff5 SHA-256: 1bb3874626db679946b15be40dbc78a8295cece95dfaa1c8e86599385b413eb2
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URL pointing to 'jottigo.ru', which is likely a phishing or malware distribution site. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'Burket s oral medicine pdf'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9119

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/award?keyword=burket+s+oral+medicine+pdf
    • http://instasavephoto.com/samsung_bd-j5700_turns_off_by_itselfbvxoy.pdf
    • http://helpverifybadges.com/zegakapesipufaxakofofwvdcf.pdf
    • http://sarobivavoma.iblogger.org/motorola_sbg6580_manual_espaol.pdf
    • https://cdn.sqhk.co/vakolitakap/itia8Ot/prime_contractor_meaning_in_construction.pdf
    • https://cdn.sqhk.co/posojuvapono/jg0ihjg/durga_bhavani_god_songs.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://labapok.rf.gd/50442506424.pdf
    • http://nosifunugiwes.epizy.com/jsw_gi_sheet_dealers_in_bangalore.pdf
    • https://s3.amazonaws.com/gupawupigawono/cheat_trainer_bully_scholarship_edition_pc.pdf
    • https://uploads.strikinglycdn.com/files/c6c06ef0-dc30-4697-b2cd-7528e1b04299/how_to_do_a_self_hypnosis.pdf
    • https://uploads.strikinglycdn.com/files/ada59b67-f953-43c7-b253-cf6800b31fec/vurisexajinotas.pdf
    • https://uploads.strikinglycdn.com/files/e972857c-adb9-4174-89a5-d3f33502c62a/why_was_the_republic_of_doyle_cancelled.pdf
    • https://s3.amazonaws.com/goneduzum/android_constraintlayout_guideline_example.pdf
    • https://s3.amazonaws.com/wobuzisibal/the_circulatory_system_worksheet_answers_key.pdf
    • https://s3.amazonaws.com/purufiz/51828977671.pdf
    • https://uploads.strikinglycdn.com/files/d4c7d846-4784-43b6-884c-7f0cce12bfe7/8986693538.pdf
    • https://s3.amazonaws.com/penefelomiju/oracle_11g_installation_guide_for_redhat_linux.pdf
    • https://uploads.strikinglycdn.com/files/c1b52572-736c-4f11-8509-5ec7416b7675/waniperabipipefe.pdf
    • https://s3.amazonaws.com/lovomijelun/37599083834.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c9fc.bin
7e65e0af087ef49e8aa922c3ec643fd8f8149a6ec5aaa7ca3bf60fdc4148ce2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC9FC 5416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.