Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f1f1df17f5d34c8…

MALICIOUS

PDF

62.7 KB Created: 2021-03-20 11:15:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ee0b387b1c03a91af7b3ee0d2131bda SHA-1: 9370677a6b97622efb955edbb295433ca22fcefe SHA-256: 3f1f1df17f5d34c8d285c00e2ba9419e87958ca69733b75509b430214142e8ca
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, and contains an embedded URI pointing to a suspicious domain. The document body, though heavily obfuscated, suggests a lure related to 'award' notifications. The presence of an external URI indicates an attempt to redirect the user to a potentially malicious site for further exploitation or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8897

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/award?keyword=centroid+of+plane+area+by+integration+pdf
    • https://sabitafev.weebly.com/uploads/1/3/4/3/134308069/lebixaxofi-pidosedorugef-gasivexetora.pdf
    • http://zodatowafe.getenjoyment.net/71307864205.pdf
    • http://midekupe.22web.org/plant_physiology_and_biochemistry_impact_factor_2016.pdf
    • http://pepujolajerikur.66ghz.com/anthem_blue_cross_medicaid_appeal_form.pdf
    • http://linefofaxugedu.mywebcommunity.org/someone_like_you_guitar_chords_beginner.pdf
    • https://rizimajapalikum.weebly.com/uploads/1/3/4/6/134633575/fidabe.pdf
    • http://kvrovk.xyz/543869115340mnso.pdf
    • http://xesifavaner.22web.org/wegevipomolopok.pdf
    • http://lodazumutedine.iblogger.org/polabexa.pdf
    • https://sedemosifov.weebly.com/uploads/1/3/0/8/130874126/defozaluxus.pdf
    • http://mirunex.iblogger.org/binomial_and_normal_distribution_worksheet.pdf
    • https://fofupapezu.weebly.com/uploads/1/3/4/3/134356394/porar_todagejore_vudinisirimefu_meputofuzosez.pdf
    • http://sq11mini.com/midizidsibzg.pdf
    • http://santecmb-sarl.com/hp_deskjet_f4280_all-in-one_printer_pricepf5m7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://gofudawaropuz.epizy.com/85003763356.pdf
    • http://moxurux.epizy.com/free_printable_3rd_grade_punctuation_worksheets.pdf
    • https://uploads.strikinglycdn.com/files/25eedc3c-8eda-4a23-b467-7033e9ed635b/is_there_a_gta_5_money_cheat_code.pdf
    • https://uploads.strikinglycdn.com/files/c7c92c80-f0da-46d6-9dd8-31297d73d5b0/can_kindle_paperwhite_use_overdrive.pdf
    • http://zopumukujo.epizy.com/damages_season_2_episode_guide.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed0a.bin
7adb5efa7f61b54773e56f080c693557116d80fdb0083e3d260e5c52a3d436d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED0A 5180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.