Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e96b24095cbbd6e…

MALICIOUS

PDF

66.6 KB Created: 2021-02-25 12:04:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: eac645948633ae306ddb0b257da2f193 SHA-1: 3215fd46750d0aeb52cbfa03765b16a47ea1a36f SHA-256: 1e96b24095cbbd6e10fa3d144a42522fc56fdcbde005eb1e1e03abbc733dc0b4
94 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9752

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/aws?utm_term=manual+parlante+jbl+flip+5+bluetooth PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4421476/normal_601ae2625f3b4.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4380522/normal_5fc9fab4b2032.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4475863/normal_5fffc2cf954fb.pdfIn PDF document text
    • http://limaxinsto.xyz/37365260496jobt7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4449012/normal_600e88bff1a01.pdfIn PDF document text
    • https://cdn.sqhk.co/feziwetesene/jbJkMia/learning_quran_online_reviews.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4412774/normal_600043b89530c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4494436/normal_6008ec4c4d81d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4452374/normal_5fe111e956576.pdfIn PDF document text
    • http://help-business-media.com/how_to_connect_presonus_to_ipad91q7g.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4487413/normal_5fffb5d652ece.pdfIn PDF document text
    • https://cdn.sqhk.co/xasakeza/gc4ighb/wisugutosifadimizolegi.pdfIn PDF document text
    • http://sanatoriy-izumrudny.ru/math_transformations_worksheets_8th_grade7k1n0.pdfIn PDF document text
    • https://cdn.sqhk.co/nimabugokofa/2jaBje7/classical_music_for_babies_in_womb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4486535/normal_5fd64661f012a.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc98.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDC98 5156 bytes
SHA-256: 598f91e63e63b6f247c242b33d29fa9bc0c4c34e7b8591641f579a4a5af0a470
font_01_sfnt_off0000ee2a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE2A 2072 bytes
SHA-256: ff25f8a7728d22e2a3ca685ec29cba52a3985019e138e122e46779cc8d706f39

Open this report in the interactive analyzer, or submit your own file for analysis.