Malicious PDF — malware analysis report

Static analysis result for SHA-256 402f6b259f4e915a…

MALICIOUS

PDF

62.7 KB Created: 2021-03-11 23:00:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a59effb469b53198ca3e26a85ef3c8d5 SHA-1: fa2958ddb5c72f16e21c0b20787c132981849496 SHA-256: 402f6b259f4e915aef717bb65a1f3ffaec8b199ece10d44a5853d6163f89dc43
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by multiple heuristics and ClamAV, specifically flagged as a PDF phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is a strong indicator of malicious intent. The document body, though heavily obfuscated, suggests a lure related to 'Oxford phonics world 4 pdf', likely a pretext to direct the user to the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8358

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=oxford+phonics+world+4+pdf
    • http://dkmz3.club/40776626800eipwa.pdf
    • http://kijumubafenu.mypressonline.com/ielts_test_academic.pdf
    • http://lenemoloj.22web.org/zezuliwasopi.pdf
    • http://xepuxupipe.mywebcommunity.org/duwenipunokonag.pdf
    • http://pigigozoruda.mypressonline.com/why_is_nikki_giovanni_important.pdf
    • http://fejekadiwoxobiz.getenjoyment.net/what_is_the_singular_possessive_of_police_woman.pdf
    • http://storedubai.shop/el_prncipe_de_maquiavelo_resumen_por_captulos_yahoo7fs08.pdf
    • http://polypak.site/how_to_study_sanskrit_class_9x3879.pdf
    • http://japamawosoj.mygamesonline.org/suwulemum.pdf
    • http://bitcoinov.site/rigodufenudakoxuhu4sy.pdf
    • http://abanca-electronica.com/71141314518kh4x9.pdf
    • http://kifigopetufoge.iblogger.org/89801969503.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5b2e0c3d-7558-4cee-8785-b7e3268cd3c5/how_to_manage_your_time_in_grad_school.pdf
    • https://s3.amazonaws.com/bipovoromoj/aadhar_card_online_app.pdf
    • https://s3.amazonaws.com/gotenukevepunin/12994633564.pdf
    • https://uploads.strikinglycdn.com/files/5e78902a-7dfb-4bc2-9936-ddf259baf026/82718603369.pdf
    • https://uploads.strikinglycdn.com/files/228bc0e8-330f-4bab-9a07-735af2a3eb1f/58903538749.pdf
    • https://uploads.strikinglycdn.com/files/8d3e2623-ad36-4bc1-8788-9016fee5534e/88143530130.pdf
    • https://uploads.strikinglycdn.com/files/38ff48a4-28e2-44be-b65b-3411b5040e30/how_to_brine_a_turkey_for_big_green_egg.pdf
    • http://pepajefosub.epizy.com/fobavobemifupiworor.pdf
    • https://uploads.strikinglycdn.com/files/02ef0c54-4b1f-43d5-ac24-c8fc8759baae/optical_fiber_communication_system_block_diagram.pdf
    • https://uploads.strikinglycdn.com/files/8b476533-6d03-44da-9050-03c934b44d56/what_was_the_significance_of_the_case_of_marbury_v._madison.pdf
    • https://s3.amazonaws.com/vososasoxumete/votiravelotivisasogo.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d6d3.bin
0ef13e833df5ae3627afe0b67353758d1eb593c0bed6b8dad9bfc66bb66c0770		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6D3 5308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.