Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c342d802e98da57…

MALICIOUS

PDF

65.6 KB Created: 2021-03-27 12:08:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 534487898b5120dbeff556c9338c74a3 SHA-1: d5bc1136caafc6013b64f35d972fa7969ad9719b SHA-256: 1c342d802e98da57db3baba56c4bf70484d82b483ac6995c0c83a2f4121bac24
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to deliver a malicious payload or redirect to a phishing page. The document body, though heavily obfuscated, suggests a lure related to COVID-19 tax deferrals, a common phishing tactic. No scripts were extracted, but the PDF structure itself is indicative of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9263

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=can+i+defer+my+corporation+tax+payment+because+of+covid+19
    • https://cdn.sqhk.co/raxinosi/dvhjic3/pipovoluwazafo.pdf
    • https://static.s123-cdn-static.com/uploads/4390996/normal_5ff22bb89692f.pdf
    • https://static.s123-cdn-static.com/uploads/4422372/normal_5fcc6b1f1a228.pdf
    • http://lusanubi.22web.org/loriwirujomububojuvam.pdf
    • https://cdn.sqhk.co/lilaxikixo/szTZjix/receita_de_glace_simples_para_bolo.pdf
    • http://nosexutejeputap.iblogger.org/what_does_the_protect_light_mean_on_a_amp.pdf
    • https://cdn-cms.f-static.net/uploads/4369768/normal_6023d6610091a.pdf
    • https://cdn-cms.f-static.net/uploads/4378856/normal_60145948d0dfe.pdf
    • https://cdn-cms.f-static.net/uploads/4462697/normal_601f6864881d5.pdf
    • https://cdn.sqhk.co/guvelebul/g7jdjaW/34504431150.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vedirananu.epizy.com/research_methods_in_english_language_teaching.pdf
    • http://wevevaviz.epizy.com/critical_film_theory.pdf
    • https://uploads.strikinglycdn.com/files/ffefe17e-db96-4fd3-8d80-56956ae87810/ripovupoviniduv.pdf
    • http://lavodusepigixu.rf.gd/advanced_data_structures_and_algorithms_books.pdf
    • https://uploads.strikinglycdn.com/files/11a0d24c-3bde-4f94-a0b1-ed0f2a208de2/komosupozesigopijob.pdf
    • http://loxosufodu.epizy.com/nelifopavakitunojos.pdf
    • http://telugave.epizy.com/magixovaj.pdf
    • https://uploads.strikinglycdn.com/files/7cbeb831-82d4-4770-8bb1-04d2371660bf/masifibeturexivaxoririn.pdf
    • https://uploads.strikinglycdn.com/files/57ee4c66-7e01-4d3d-9d8a-ec1aa8bcf703/belefademajonemof.pdf
    • https://uploads.strikinglycdn.com/files/5677be82-7dce-4af8-a061-0fe23e3a2475/kamapa.pdf
    • https://uploads.strikinglycdn.com/files/ecb0f3c0-8305-4122-983e-237737295e79/28829136333.pdf
    • http://fapegilijaz.rf.gd/extent_report_using_cucumber.pdf
    • https://uploads.strikinglycdn.com/files/e81c1004-eb58-4ef5-927e-c1aad3603eb4/rules_of_chess_for_beginners_printable.pdf
    • http://lexojowal.epizy.com/lomifolu.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1b9.bin
47e35f36115e1be82b2209bfd01ecdc9201c85f300cb923fcf21d3a373f63ddf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1B9 5752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.