Malicious PDF — malware analysis report

Static analysis result for SHA-256 371b46670b7f1291…

MALICIOUS

PDF

69.6 KB Created: 2021-04-23 12:03:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a2456301c6b4220dd469cf1d1019e8d7 SHA-1: 8c64f3008b69a424b742b7b8115d9a984993544d SHA-256: 371b46670b7f12912333a73a692c01a9b90696218df4c9433f1d3c0e9b516b3c
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, with the primary one being https://crophysi.ru/strik?utm_term=caracteristicas+de+los+algoritmos+cualitativos, suggesting a phishing or malware distribution lure. Although no scripts were explicitly extracted, the PDF structure and embedded URIs point towards an attempt to redirect users to potentially harmful external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8294

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=caracteristicas+de+los+algoritmos+cualitativos
    • http://confirmyourverifiedbadge.com/carcassi_etudese0nc9.pdf
    • https://dexejajakoto.weebly.com/uploads/1/3/0/7/130739268/tepawezas-mevenive-gaxag.pdf
    • https://tobuzedatenet.weebly.com/uploads/1/3/4/3/134322281/6471ec66a6.pdf
    • http://xilabapuradom.iblogger.org/two_by_two_nicholas_sparks_movie.pdf
    • https://cdn.sqhk.co/dajusonas/ieFiggi/how_to_make_rc_plane_control_surfaces.pdf
    • https://cdn.sqhk.co/sejixikerut/hewa4jc/23159897932.pdf
    • http://wumawof.iblogger.org/aseptic_packaging_system.pdf
    • http://bawikivogo.22web.org/m_b_b_s_ki_full_form.pdf
    • https://katesagi.weebly.com/uploads/1/3/4/8/134864962/pugowene_gabibu_dufikijej.pdf
    • http://futup.ru/sims_4_origin_product_code_generator3lred.pdf
    • https://vupojefagof.weebly.com/uploads/1/3/5/3/135316701/dubexu_kiwenot_dixigunibasu_rupalukilaf.pdf
    • http://unreguezff.rest/61196913642nx45w.pdf
    • https://julogunakununu.weebly.com/uploads/1/3/2/8/132814048/5f0e9303.pdf
    • http://rigovutamejebum.iblogger.org/25160202101.pdf
    • https://cdn.sqhk.co/fawabanof/2wunia9/bihar_b._ed_application_form_2018_online.pdf
    • https://cdn.sqhk.co/golizojuw/l1ihjh7/best_star_map_app_for_iphone_free.pdf
    • https://cdn.sqhk.co/dilizilozok/LXgh0jc/vigek.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://duvexarido.epizy.com/tejewedapezovuvalobiv.pdf
    • http://viganoxoloni.rf.gd/fugibinokerivodabosinut.pdf
    • http://fofogagad.epizy.com/76826705207.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f400.bin
0cec10999dc9969af7353dafe23083c38d727581b685d3f7a66bfbf780c26b29		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF400 5224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.