Malicious PDF — malware analysis report

Static analysis result for SHA-256 33f9522f6fa2b045…

MALICIOUS

PDF

77.7 KB Created: 2021-03-18 21:54:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b0bd9ce17beed3c8aab7813ad6063d3b SHA-1: d0257bdfe59f32ccadc0243b91211dab5f209c12 SHA-256: 33f9522f6fa2b0456cc28d342ae9801a0460c2fa7689ee363f9e0d5ba7d90f60
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing multiple embedded URLs, many of which are flagged as unknown or potentially malicious. ClamAV detected it as 'Pdf.Phishing.Trojan', and an ML classifier also flagged it. The document body, though heavily obfuscated, suggests a lure related to business invoices or educational materials, consistent with phishing attempts. The presence of external URIs indicates an attempt to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7733

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/award?keyword=facture+auto+entrepreneur+maroc+pdf
    • http://biwadevebudorif.22web.org/38121732377.pdf
    • http://dusosax.66ghz.com/teaching_english_as_a_second_language_courses_tafe.pdf
    • http://shoop-fm.ru/pacify_meaning_in_english_tamil959eu.pdf
    • http://molotkov.site/tigoz7f1et.pdf
    • https://cdn-cms.f-static.net/uploads/4410678/normal_60417db3b4da5.pdf
    • https://cdn-cms.f-static.net/uploads/4417990/normal_603ebd62bfb0f.pdf
    • https://cdn-cms.f-static.net/uploads/4384645/normal_5fd7988cb1f24.pdf
    • http://micrometerdigital.xyz/tokigeku8160j.pdf
    • https://static.s123-cdn-static.com/uploads/4451353/normal_5fde6a796c2b7.pdf
    • http://table-wait.com/ancient_magus_bride_elias_wendigoc6ts7.pdf
    • https://vibovetegaj.weebly.com/uploads/1/3/4/6/134695113/8195076.pdf
    • http://damvglaz1.xyz/how_do_you_calculate_the_half_life_of_an_elementw9soz.pdf
    • https://pumebaluzepur.weebly.com/uploads/1/3/5/3/135326980/5037409.pdf
    • https://cdn-cms.f-static.net/uploads/4416671/normal_60414fc481bd5.pdf
    • https://vopumatibu.weebly.com/uploads/1/3/4/4/134402560/0b0a24c1a960f6.pdf
    • https://static.s123-cdn-static.com/uploads/4445326/normal_5fcf0e0213ba1.pdf
    • https://texoxarisozitew.weebly.com/uploads/1/3/0/9/130969357/7359901.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/69543704-cd1f-4c6c-8800-464fa1e87e1b/dagawakezuzulu.pdf
    • http://ninefaniki.rf.gd/wotajolasemof.pdf
    • https://uploads.strikinglycdn.com/files/62056313-81c4-41ba-a7c1-a233ab690500/15648553133.pdf
    • https://uploads.strikinglycdn.com/files/46dfdc5e-da15-41a1-99c9-5e213bef770f/wuzevifakovejalapaloge.pdf
    • https://uploads.strikinglycdn.com/files/667e780b-6ba4-47e2-b0e1-283cb2f87c9e/pl_sql_coding_conventions.pdf
    • https://uploads.strikinglycdn.com/files/abe878a2-7bdb-4a26-ae27-c1efff5552d9/fakolifudoposu.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010386.bin
0f048ffce33e1149d23e48cde56b62cbb9bddb80c9c9b6e00000456de683c304		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10386 4880 bytes
font_01_sfnt_off000113fc.bin
be12383307ac43506b1a9deabe830981a38f3f8c6d5156e98a6bcf8121dc1861		 pdf-font-stream PDF embedded font (sfnt) at offset 0x113FC 12372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.