Malicious PDF — malware analysis report

Static analysis result for SHA-256 38f0de871d5a33e1…

MALICIOUS

PDF

84.6 KB Created: 2021-01-29 12:17:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: e0789ee415ebeb06a57718c700d42e43 SHA-1: 01688ce7a9c48265f40a878eab5f2c17f8809540 SHA-256: 38f0de871d5a33e1f50f9e3740303e1715d309ed4e2d4e5ad93e231546917659
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV with a phishing and trojan detection. It contains an embedded URI pointing to a suspicious domain, jottigo.ru, which is likely used to host malicious content or redirect to phishing pages. The document body is heavily obfuscated, but the presence of external URIs suggests an attempt to lead the user to a compromised or malicious site.

Machine Learning

  • Nyx PDF Classifier clean score 0.1782

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/aws?utm_term=lagu+man+ana+gus+azmi PDF link annotation
    • https://xekafifem.weebly.com/uploads/1/3/4/6/134669887/metudepuf_lagoliludof.pdfIn PDF document text
    • http://metalllift.ru/teologia_biblica_y_sistematica_myer_pearlman_wordk6jgv.pdfIn PDF document text
    • http://todayit.pro/my_little_princess_2011_full_movie_englishyjam5.pdfIn PDF document text
    • https://sedesafatowezu.weebly.com/uploads/1/3/1/4/131437285/bdb756533.pdfIn PDF document text
    • http://fasodotujane.iblogger.org/agritourism_in_maharashtra_information.pdfIn PDF document text
    • http://pidawiwosoda.iblogger.org/69054245339.pdfIn PDF document text
    • http://shtampshop.ru/berufoje2dd7r.pdfIn PDF document text
    • http://mebets.xyz/26641289912s0k6o.pdfIn PDF document text
    • http://construt.site/85297101169c49d4.pdfIn PDF document text
    • https://wagemerefav.weebly.com/uploads/1/3/2/7/132712282/6aa54.pdfIn PDF document text
    • https://cdn.sqhk.co/nawovoso/3mgejh2/xiwawunanu.pdfIn PDF document text
    • https://cdn.sqhk.co/lufelumad/hjcjdgo/ecology_jobs_salary.pdfIn PDF document text
    • https://cdn.sqhk.co/joziroluxu/f7iazji/small_city_road_sweeper_simulator_download.pdfIn PDF document text
    • http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://s3.amazonaws.com/xubifupi/87606337732.pdfIn PDF document text
    • http://labinugekifuv.rf.gd/festool_1400_router_guide_stop.pdfIn PDF document text
    • https://s3.amazonaws.com/nagev/plataforma_aula_virtual_upnfm.pdfIn PDF document text
    • https://s3.amazonaws.com/gowupuzokowuxes/aws_firehose_lambda_transform.pdfIn PDF document text
    • http://zuraravata.epizy.com/free_birthday_cards_for_son.pdfIn PDF document text
    • http://tedijafubivot.epizy.com/pafapogot.pdfIn PDF document text
    • https://s3.amazonaws.com/lekezaru/airtel_app_free.pdfIn PDF document text
    • http://fopekexu.epizy.com/20532383861.pdfIn PDF document text
    • https://s3.amazonaws.com/rimejiguvif/tafudusikexivotofaleg.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off000143b7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x143B7 5642 bytes
SHA-256: 05010606f5b0349a96c56de67439dc33e3ec0e324f35e10dd5428f6aa817d0ba
font_00_sfnt_off0000e3b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE3B3 3584 bytes
SHA-256: 516a5d9f711284f2d554f56b3627e6d1e912661a49c7415de2aeb44e52f6cd1c
font_01_sfnt_off0000f049.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF049 2848 bytes
SHA-256: 6a0ced336f9510fba0f0eeb85e50291979e4470e370158fcf4ae0d61e8c067f0
font_02_sfnt_off0000fcb0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFCB0 4868 bytes
SHA-256: 18ff9b6a8ef338fb0a20a244ddee71ab315d9c99e6584c5447866da5c44318a6
font_03_sfnt_off00010d33.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D33 6296 bytes
SHA-256: 9f2406b17c9f70014ec8a203ff1edac811efe7f1f551e8ef4ca1043b711d6da4
font_04_sfnt_off00011da6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11DA6 11680 bytes
SHA-256: 268bada159c47becd8d419eff6b2442410b514d48801c6401f1d080fd825daee

Open this report in the interactive analyzer, or submit your own file for analysis.