Malicious PDF — malware analysis report

Static analysis result for SHA-256 21f6a7b7855f696d…

MALICIOUS

PDF

75.6 KB Created: 2021-04-06 13:59:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 869ec90446c857f662b552dd1e24c408 SHA-1: 41f194b83ff0cfb1126cd1e4349419fa464ea0f0 SHA-256: 21f6a7b7855f696d0e235fea1b589d94749824ac0655b8dc1f5fb275d77e74ef
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. An embedded URI points to a suspicious domain, 'zajinet.ru', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, contains text related to 'Summer escapes pool filter pump', suggesting a lure to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9769

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/aws?utm_term=summer+escapes+pool+filter+pump
    • http://zumigiguba.22web.org/what_do_the_shining_twins_say.pdf
    • http://lowufadit.scienceontheweb.net/bsc_part_2_physics_practical_book_download.pdf
    • http://dapunajav.22web.org/76547005087.pdf
    • http://vas-rem.ru/zewefapesezerefe7twrn.pdf
    • http://table-wait.com/28371101234lohka.pdf
    • http://pumba-timon.space/i_hate_you_please_dont_leave_meq5ubt.pdf
    • http://santand-es.com/unit_4-_2_trig_graphs_worksheet_thsonri7.pdf
    • http://italia-doc.fun/new_yorker_hotel_location0jenl.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/supefujoxopubu/what_are_the_main_ideas_of_realism.pdf
    • http://jirabumibami.epizy.com/aetna_medicare_advantage_provider_manual.pdf
    • https://s3.amazonaws.com/zumezeviwakiz/ncees_pe_power_practice_exam.pdf
    • https://s3.amazonaws.com/sojebelevenex/moxivujitaje.pdf
    • http://demuremapinob.epizy.com/vail_valley_anglers_guides.pdf
    • https://s3.amazonaws.com/tajimipojimo/revubuzarexumupe.pdf
    • https://s3.amazonaws.com/xuzed/81920052489.pdf
    • https://s3.amazonaws.com/godewumazek/foam_core_sheets_michaels.pdf
    • http://jekurur.atwebpages.com/80552996840.pdf
    • http://nivofemidamiven.rf.gd/polidedefatofor.pdf
    • https://s3.amazonaws.com/dukavunivifa/34609911635.pdf
    • http://zavozolumox.rf.gd/51997223133.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001176a.bin
e9badb7e56ed1584ef0872195a3d482ed178e3cd96fd26f386f9697b4f77f116		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1176A 5264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.