Malicious PDF — malware analysis report

Static analysis result for SHA-256 39d9da671e90dc62…

MALICIOUS

PDF

80.2 KB Created: 2021-06-08 20:05:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: c3bc6a05bbc242d7448fd84d831a73c8 SHA-1: 2c5a487c80c61f4bfe4deb64a8233c8f54371357 SHA-256: 39d9da671e90dc62ab1d24a45e7428a0de93dc442ab4757d1174f9930d86f4eb
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing lure. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6520

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/pbw?utm_term=savage+model+99+owners+manual+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4414339/normal_60318b7ec04ac.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387932/normal_601937a0cfca0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4495039/normal_5fd2e6aebb9f7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4483349/normal_6041750b67920.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4462696/normal_5fdf5417e93de.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378383/normal_601fa3d9b55f2.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d2c339c1-9179-4ee5-948a-c12e71f3d4a3/cogn_latin_root.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c4fff4f6-e255-48c0-a4de-6ccb9d143ec2/roland_tr_8_manual_deutsch.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/347e8861-bf62-40fa-94b7-7a341d630f48/23633259922.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9f488c66-b07f-43d5-a065-9ac79fad7a3e/84230566751.pdfIn PDF document text
    • http://biwonuv.pbworks.com/f/teri_ankhe_bhul_bhulaiya_mp3_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a84850bb-d4ee-4a07-822a-f960918f8726/calculating_volume_worksheets_5th_grade.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/10afbaef-2d86-41f0-8b6a-7435e947dc6b/29840903178.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b4fb3569-1ea5-4001-b465-06d5286e28b1/taurus_pt111_millennium_pro_specs.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f9574737-5651-4eeb-a9e8-9519d14676eb/pinomewexuxilolotipewen.pdfIn PDF document text
    • http://povelin.pbworks.com/w/file/fetch/144421392/lixesirabusuzanasufosibaz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b3a971f1-9612-4e51-adc1-b0c044aee4ff/acer_aspire_one_zg5_service_manual.pdfIn PDF document text
    • http://jilawuxifi.pbworks.com/f/ithuba_national_lottery_app_download_apk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0b8c1aab-1199-4fb5-88d7-8945ce8e25e5/are_zte_phones_banned_in_the_us.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/175fd3b3-8fa5-4d5d-8f9e-e7b784596d02/canon_eos_rebel_xt_memory_card_type.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8428f816-69c8-4b8a-8661-c8913fd8af56/25849737791.pdfIn PDF document text
    • http://kuzimotum.pbworks.com/w/file/fetch/144531663/how_long_does_it_take_cash_app_to_transfer_money_to_bank.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/16545d3e-5c3e-4efb-b61c-c58067aa967a/ejercicios_con_principio_multiplicativo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f267ecef-1d7f-4dfb-9ddb-23e678c1e733/87757440710.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001109b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1109B 5772 bytes
SHA-256: fab2ad2d85456797557fb1665bfa7a6b61f65a7231f884fb6d58101d6c492a33

Open this report in the interactive analyzer, or submit your own file for analysis.