Malicious PDF — malware analysis report

Static analysis result for SHA-256 21b9021f9d39c1de…

MALICIOUS

PDF

58.6 KB Created: 2021-03-10 21:19:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 626985abd12f68b546bfa2a86a67aadd SHA-1: 58be0614330a823379e17ceac7d3d691ef9d8905 SHA-256: 21b9021f9d39c1def994b94f30fcc244731d35905d35b6cbd0fc66d6c8c8bf61
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, and ClamAV detection confirms its malicious nature. The document body, though heavily obfuscated, suggests a lure related to 'causes of first world war pdf'. The primary IOC is the malicious URL, which is likely used to deliver a secondary payload or redirect the user to a phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8090

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/award?keyword=causes+of+first+world+war+pdf
    • http://rasprodavaika.ru/el_rompope_se_caducairqqk.pdf
    • http://erethiztzj.space/pride_and_prejudice_movie_free_online_2005u7pzu.pdf
    • http://xevusezes.medianewsonline.com/blackmagic_atem_television_studio_hd_manual.pdf
    • http://vopugixeroramox.medianewsonline.com/xilemananokivifevedinu.pdf
    • http://xogunajeraxuda.mywebcommunity.org/73419186505.pdf
    • http://wudazex.sportsontheweb.net/13018277826.pdf
    • http://nebofimanigi.sportsontheweb.net/26349163829.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vizegemawokaxe/38254116457.pdf
    • https://ee897e78-a157-4eb5-8a47-d615096087a2.filesusr.com/ugd/113e89_488b00a143364b78b00b72412627b1c7.pdf?index=true
    • https://s3.amazonaws.com/wokesabisevo/59174477462.pdf
    • https://s3.amazonaws.com/jifesu/7319348560.pdf
    • https://edefa294-c65c-46c5-840b-8a4669b9fdfe.filesusr.com/ugd/e4a001_9c8337a09b9b4690b15d975ea8f5622b.pdf?index=true
    • https://aee666f7-65d2-4416-8089-42e5bd85255d.filesusr.com/ugd/c4036c_5b6c1d2d26ee45b490d910ad1e4fe8ca.pdf?index=true
    • https://s3.amazonaws.com/lepefi/waze_for_android_auto_apk.pdf
    • http://benamow.myartsonline.com/paxusopojanika.pdf
    • http://gototura.myartsonline.com/haircut_locations_open_near_me.pdf
    • https://s3.amazonaws.com/wotodedaruzuk/brain_test_questions_and_answers_in_english.pdf
    • https://44f39d5c-a655-4437-91b6-62b11e148e71.filesusr.com/ugd/eb4c03_ea00b45fc4814aef9155a975a74a4266.pdf?index=true
    • https://3745348a-78a0-42d7-8ff4-af2b45bf5faf.filesusr.com/ugd/02631b_5f5bfa9a5cee4f36946f999775ad56e3.pdf?index=true
    • https://s3.amazonaws.com/lupuvogotog/40812649649.pdf
    • https://s3.amazonaws.com/kodipopujufipig/mivojulofevegibunidin.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cffa.bin
8ae06b6f49fe887b7d98858b7ed087d7f2fddb987f15e05da34fcc329247c732		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCFFA 4928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.