Malicious PDF — malware analysis report

Static analysis result for SHA-256 439a56f7c6c018d8…

MALICIOUS

PDF

68.1 KB Created: 2021-03-12 01:30:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bce26245e5eb5c78dc9e5955686bc824 SHA-1: ffc222bc61f22208048bcc65c05d997c28903dad SHA-256: 439a56f7c6c018d891b948e4417b06327d7cd20fc690d71a2e8941119d13d7e0
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing site. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to deliver a malicious payload or redirect to a phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7936

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/award?keyword=clc+bricks+manufacturing+process+pdf
    • http://wonder-ita.fun/english_grammar_transformation_of_sentences_rules_in_hindimwfqa.pdf
    • https://cdn.sqhk.co/fujotojaxob/dje6eig/tarot_cards_near_me.pdf
    • https://cdn.sqhk.co/jodariwem/TunMgcM/724_stg_usaf.pdf
    • http://vidclips.design/kakakujuwoh7dt.pdf
    • https://cdn.sqhk.co/pisapaxosabo/iOBBLja/internet_marketing_jobs_from_home.pdf
    • https://cdn.sqhk.co/dawadetugas/eLicEhi/wuropozavunidojanadow.pdf
    • https://cdn.sqhk.co/xibidodoko/i1Shchh/samsung_gallery_app_download_for_pc.pdf
    • http://wameduxuka.iblogger.org/xiwakoxajawifo.pdf
    • http://sellamorem.com/57529246712jev92.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kudufigunabi/initial_nursing_assessment_template.pdf
    • https://4c2674ec-1430-4cec-a455-d6a35d10586e.filesusr.com/ugd/38955b_5a7c9aaf2dcb422a85d2b654f6a520fb.pdf?index=true
    • http://pikaderobiw.atwebpages.com/terizisudasojewutipulu.pdf
    • http://bajupigirosinaf.atwebpages.com/tc_helicon_voicelive_2_firmware_update.pdf
    • https://18cb0a1d-3822-48a5-9ca0-56465202bc9b.filesusr.com/ugd/96564c_df5eb6e3b305488f866fa3edfb685bfc.pdf?index=true
    • https://s3.amazonaws.com/jamuluvuvava/firedezaduzi.pdf
    • http://dolasuwukino.epizy.com/guitar_bajana_songs_naa_songs.pdf
    • http://satogitexuvo.myartsonline.com/what_are_three_things_about_yourself.pdf
    • http://lotawovuvowuk.rf.gd/legend_of_zelda_minish_cap_kinstone_guide.pdf
    • https://s3.amazonaws.com/dujepav/uc_browser_2019_free.pdf
    • https://s3.amazonaws.com/tokatefozude/astronaut_facts_and_information.pdf
    • https://7afd96e6-4611-46d4-9b98-d111b897c281.filesusr.com/ugd/154221_805afb42a457494c83b29d2000c4a407.pdf?index=true
    • https://69cf8a46-0d3d-4b71-8fd1-93df925da18e.filesusr.com/ugd/e4064d_ee326e9d21db4d64b25ca62d873c6821.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e7af.bin
a51f58c9fe88ad68626f78ad4a7fc6adea18c24b6991077ec91f9bdf6d15385e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7AF 5584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.