Malicious PDF — malware analysis report

Static analysis result for SHA-256 37d556682b04e99e…

MALICIOUS

PDF

73.6 KB Created: 2021-03-04 04:47:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 17596411730dd8dee7dfe667b8576906 SHA-1: a3b8115bf819c61d62f21254e5b8b7f71122e5d5 SHA-256: 37d556682b04e99eb1418d54e335206f5d7ddfc9f2bfcef0343b632e992b96eb
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing or malware distribution site. The document body, though heavily obfuscated, suggests a lure related to 'organizational structure in healthcare'. No scripts were extracted, but the presence of embedded URIs and the overall detection profile strongly suggest a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9730

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=what+is+organizational+structure+in+healthcare
    • https://moxalabukeziro.weebly.com/uploads/1/3/4/7/134772199/8158085.pdf
    • https://bobelijanufav.weebly.com/uploads/1/3/5/9/135960041/gavudiw_pugisozo_fufopafosopoze_sifixe.pdf
    • https://zovarufegurer.weebly.com/uploads/1/3/4/6/134625168/4713328.pdf
    • https://zuwadakake.weebly.com/uploads/1/3/4/6/134664894/5ad98b0c74.pdf
    • https://binelotetite.weebly.com/uploads/1/3/4/0/134016953/8789394.pdf
    • https://cdn-cms.f-static.net/uploads/4467912/normal_5fd769aa5c482.pdf
    • http://opssmall.space/shell_scripting_tutorial_pdf_by_steve_parker54y3b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://govujetimavex.epizy.com/finavufabefilerekefuxi.pdf
    • http://koxowasone.epizy.com/png_background_hd_for_picsart_free.pdf
    • https://s3.amazonaws.com/gotenukevepunin/editor_de_fotos_collage_maker_apk_uptodown.pdf
    • https://s3.amazonaws.com/xilasisefi/devexpress_report_designer_add_table.pdf
    • https://s3.amazonaws.com/jupudizadid/how_to_send_jodi_arias_a_letter.pdf
    • https://s3.amazonaws.com/xesigeze/reported_cases_of_zika_in_costa_rica.pdf
    • https://s3.amazonaws.com/kufazete/73747210574.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fe86.bin
a62975a3b4ed06297f47a56e020aa5d37c61681b61d365248da1e5d681d55dba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE86 5124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.