Malicious PDF — malware analysis report

Static analysis result for SHA-256 365abfaa12628b33…

MALICIOUS

PDF

63.0 KB Created: 2020-11-26 03:56:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03b0f7574c5f9291d6bf66a0876a0b39 SHA-1: b092a57990e635e41fa4ba1514c7487a01e0d0c8 SHA-256: 365abfaa12628b336ba7ed3ec51829ee0164ead56e7be804bee36eddfc56e596
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, and ClamAV detection confirms its malicious nature. The ML classifier also flagged it with high confidence. While no explicit script was extracted, the presence of an external URI suggests an attempt to download a secondary payload, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8355

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/strik?utm_term=western+civilization+spielvogel+9th+edition+pdf
    • https://cdn-cms.f-static.net/uploads/4427086/normal_5fa342cb8812a.pdf
    • https://cdn-cms.f-static.net/uploads/4503050/normal_5fbed2bd8ac07.pdf
    • https://cdn-cms.f-static.net/uploads/4408865/normal_5fafd17868e59.pdf
    • https://cdn-cms.f-static.net/uploads/4454988/normal_5fb6ee2ebae8f.pdf
    • https://cdn-cms.f-static.net/uploads/4408858/normal_5fb9ede16e823.pdf
    • https://cdn-cms.f-static.net/uploads/4367964/normal_5faf9cb8c1b80.pdf
    • https://cdn-cms.f-static.net/uploads/4421218/normal_5fa20fc99cdb5.pdf
    • https://cdn-cms.f-static.net/uploads/4384299/normal_5f937ed32289d.pdf
    • https://cdn-cms.f-static.net/uploads/4501028/normal_5fb28fb3d7544.pdf
    • http://www.opentle.org
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kevava/dnd_5e_non_attunement_items.pdf
    • https://uploads.strikinglycdn.com/files/dbb47277-3710-4f37-be99-59309bf20480/75257788715.pdf
    • https://s3.amazonaws.com/lixuzo/fairfield_university_bursar_login.pdf
    • https://uploads.strikinglycdn.com/files/319784f1-3042-4468-845f-e4f6324cc99f/laresufuve.pdf
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000d4f1.bin
c9c3b66436798891088cea8328e7b5a59159d4dd491e03be5b824cc7edb7d68f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD4F1 14876 bytes
font_00_sfnt_off0000c183.bin
c432c3bb7f703a8aaec35a4efc89583cfc154bfa95bdf14dd90a0dbcbdc75bfc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC183 5696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.