Malicious PDF — malware analysis report

Static analysis result for SHA-256 443862ee09b24a47…

MALICIOUS

PDF

76.3 KB Created: 2021-03-23 19:28:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cdcbdf8b4276e808339a4da1135bb140 SHA-1: a9101195c0c6cae5f7d458a1d84d87a078299cc3 SHA-256: 443862ee09b24a476366a982710e52e108e0cdabf3557c93ccc28f7132abc0a2
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a suspicious domain, likely for phishing purposes. ClamAV detection and ML classification strongly indicate malicious intent, classifying it as a phishing trojan. The document body, though heavily obfuscated, references 'Amarnath yatra 2020 medical form pdf', suggesting a lure to trick users into downloading or interacting with malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9739

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/award?keyword=amarnath+yatra+2020+medical+form+pdf
    • http://pr-bux.online/jutidexumokadadudoayrgt.pdf
    • http://tonagruz.ru/one_only_you_lyrics_parokya_ni_edgar26j8k.pdf
    • http://herss.space/singer_futura_quartet_error_code_69ldve.pdf
    • http://biomaniix.website/gavuvovojumiwuxapifadisvj69i.pdf
    • http://uscreditreport2021.info/simple_keto_dinner_recipesmgvo3.pdf
    • http://e-devletturkiyeaidatsistemimgovtr.com/jadifagizitutuvevf740d.pdf
    • http://snegny.com/gasevotugx1afu.pdf
    • http://calipshatngaccs1.xyz/571447714892k3yl.pdf
    • http://shtangelkipokupkiitd.online/xijifomexixoginijamwh.pdf
    • http://daimontimur.org/nuronuminopusozojigilavhxcs.pdf
    • http://qrastenmap.online/lumifitasijuxamowakivetgot9u.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6b896186-fc26-4f71-81d0-600b03129369/lategobotiwonizosisisovo.pdf
    • http://romesara.rf.gd/toro_super_blower_vac_bag.pdf
    • https://s3.amazonaws.com/gifojuxaxeva/jatuvovafofozifalavebi.pdf
    • https://uploads.strikinglycdn.com/files/95f6386d-95a1-4316-afab-ee21b883b60c/96304489660.pdf
    • https://s3.amazonaws.com/dojonuta/read_the_four_agreements_online.pdf
    • https://uploads.strikinglycdn.com/files/f8217295-142d-4f9a-ac4a-f3d4f0949155/dialectic_of_enlightenment_download.pdf
    • http://kisolapuri.rf.gd/90012166238.pdf
    • https://uploads.strikinglycdn.com/files/75f418c3-06ad-45ab-acb6-91a0b9d5db9f/670341097.pdf
    • https://s3.amazonaws.com/migivewuwe/vuwelulewezuloxutazizej.pdf
    • https://uploads.strikinglycdn.com/files/99aeda23-a46d-410a-96b6-a71390f2d554/papoxanopajudorixesiwe.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010fdd.bin
0d296d866a8a2af182866b06ce8ed717d2334dfde6d79dcf4529ea03967f8145		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FDD 5584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.