Malicious PDF — malware analysis report

Static analysis result for SHA-256 361c8154a55359c5…

MALICIOUS

PDF

72.7 KB Created: 2021-05-19 06:07:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 39ec34f68cf571d840f6a3661c646d7e SHA-1: cc7090a97e025c5c68b69fd58324a47e3298c8f9 SHA-256: 361c8154a55359c5ebbd28838b2d633c8daadf77cf92d924bfa642f4e00b0c9a
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains a malicious URL, identified by ClamAV as Pdf.Phishing.Trojan. The embedded URL likely leads to a phishing or malware distribution site. The document body, though heavily obfuscated, suggests an attempt to disguise its malicious intent with seemingly educational content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5010

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=oraciones+subordinadas+adverbiales+ejercicios+resueltos
    • https://cdn-cms.f-static.net/uploads/4405190/normal_601d94ddc2c8b.pdf
    • https://cdn-cms.f-static.net/uploads/4383688/normal_601529cce01d3.pdf
    • https://cdn-cms.f-static.net/uploads/4375093/normal_5fe64b62c9caa.pdf
    • https://cdn-cms.f-static.net/uploads/4392199/normal_6026619d38d8f.pdf
    • https://cdn-cms.f-static.net/uploads/4464053/normal_6012620a64286.pdf
    • https://cdn-cms.f-static.net/uploads/4498978/normal_5fda1135ae4bb.pdf
    • https://static.s123-cdn-static.com/uploads/4479441/normal_5ff70c6998c35.pdf
    • https://cdn-cms.f-static.net/uploads/4369665/normal_601e119c9b607.pdf
    • https://cdn-cms.f-static.net/uploads/4414689/normal_6050ffc727582.pdf
    • https://cdn-cms.f-static.net/uploads/4381528/normal_60491d2961097.pdf
    • http://vawefisalob.22web.org/bearing_file.pdf
    • https://cdn-cms.f-static.net/uploads/4368955/normal_6019485a5e278.pdf
    • https://static.s123-cdn-static.com/uploads/4374013/normal_5fe58db7359f3.pdf
    • http://zedukibawubige.22web.org/happy_birthday_background_templates_free.pdf
    • https://static.s123-cdn-static.com/uploads/4420906/normal_5fcf64656edee.pdf
    • https://cdn-cms.f-static.net/uploads/4461245/normal_6052a15486fd7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/nuxomigo/governmental_accounting_standards_board.pdf
    • https://s3.amazonaws.com/makumapikeze/57717384443.pdf
    • https://s3.amazonaws.com/zozuxukoxo/84756465574.pdf
    • http://romijudof.rf.gd/47965065480.pdf
    • https://s3.amazonaws.com/luramamelolem/what_is_grounded_theory_in_nursing_research.pdf
    • http://padapafodimaf.rf.gd/habitat_organic_cotton_sheets_canada.pdf
    • http://rukawinasi.rf.gd/39562747863.pdf
    • https://s3.amazonaws.com/simujix/tarzan_the_ape_man_1932_full_movie_online.pdf
    • https://s3.amazonaws.com/tokatefozude/baby_boy_movie_online.pdf
    • https://s3.amazonaws.com/zolerazowubow/mean_median_mode_formula_in_hindi.pdf
    • https://s3.amazonaws.com/vavapekadoliti/vexasiw.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f7c7.bin
33a4191de56aca729b8775edbb5b8bc7a47b85f08543dc5f2ee25749eca566fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7C7 5236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.