Malicious PDF — malware analysis report

Static analysis result for SHA-256 3adcccce7f9d528d…

MALICIOUS

PDF

61.3 KB Created: 2021-04-01 03:33:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f7919770c37769f60e7e5f2932f4bb66 SHA-1: a03b03e4be96bd48c2c1d05f89be080a566751da SHA-256: 3adcccce7f9d528db0a05f5a5a1acdffc84a1963e6c63fcd9191f169eb196e1e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'https://ponafet.ru/award?keyword=africa+a+short+history+pdf', suggesting a phishing or social engineering attack. The presence of multiple suspicious URLs further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9722

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/award?keyword=africa+a+short+history+pdf
    • http://sis-paypal.com/business_communication_skills_course_freeeg8om.pdf
    • http://lg-supportteam.com/87565318965t1lvi.pdf
    • http://bupadakibagada.iblogger.org/kovubokuwonapatijafab.pdf
    • http://trenketo.buzz/93368491266nquti.pdf
    • http://krokoboko3.xyz/what_is_structured_research_instrument_in_quantitative_researchhl8n7.pdf
    • http://winoorama.website/formato_de_incapacidad_del_imss_edit2869x.pdf
    • http://dokekus.22web.org/30145363618.pdf
    • http://mosebuzixat.mywebcommunity.org/three_letter_codes_for_airports_in_us.pdf
    • http://xiwasaruv.66ghz.com/bootstrap_4_header_navbar_template.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a49aa754-465e-4bbd-924e-b3d0e7b66bd4.filesusr.com/ugd/81d6a4_02e13fac1ae64ca2a4281edae6f6ca68.pdf?index=true
    • http://motiwuk.rf.gd/how_to_get_dots_in_table_of_contents_in_word.pdf
    • https://s3.amazonaws.com/dowadotiju/free_resume_templates_for_ms_word_2007.pdf
    • http://kiwizenodemi.epizy.com/fujigonewajager.pdf
    • https://6974b9b2-fc2a-4e9b-9495-84ff65489eb7.filesusr.com/ugd/395280_281ef747a22a4d6694710bab94e091d7.pdf?index=true
    • https://s3.amazonaws.com/wukara/34478570993.pdf
    • http://jemukiguwuw.myartsonline.com/where_can_i_watch_far_from_the_tree.pdf
    • http://kibowetesuve.rf.gd/pekanu.pdf
    • https://0dd4521b-3e41-4083-9bcc-807cce03ae78.filesusr.com/ugd/cfe2e9_f2b4a10310864cfd94c6f81bea7b8ecf.pdf?index=true
    • https://04a80c79-134c-446e-801b-0c1635678e59.filesusr.com/ugd/5cebf8_061b6ae9cced4ef7a8481e61295bd4e0.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d930.bin
42e916e3317365817ed5913c3158b6a8c11313f9be24625c8c42da9349668d89		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD930 5300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.