Malicious PDF — malware analysis report

Static analysis result for SHA-256 49ffe494a28a5bf6…

MALICIOUS

PDF

66.1 KB Created: 2021-05-18 19:46:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72095db2b8d969ae03dfd1bfd1878ff4 SHA-1: a1d3c3b991721df085cb41f0d5ba326ded41ef16 SHA-256: 49ffe494a28a5bf6d7e8e7f5fc5e0c88ef5912d183dc93512af0bcb5eba636c8
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URLs suggest a phishing or malware distribution attempt, likely disguised as a helpful document. No scripts were extracted, limiting the analysis of specific execution behaviors.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9771

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.communityheroesproject.org/wp-content/plugins/formcraft/file-upload/server/content/files/160751e5f7b422---857400322.pdf
    • http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1607e3c2c486dd---mirujaru.pdf
    • http://test.uebersetzungen-nesselberger.de/wp-content/plugins/formcraft/file-upload/server/content/files/160943ee93fe66---68602684395.pdf
    • https://acethamessecurity.co.uk/wp-content/plugins/super-forms/uploads/php/files/e20518f4c421abea78073d2d8b830e2a/34545868184.pdf
    • https://audreyheselmans.com/_files/file/palututakuzoxoloniv.pdf
    • https://www.lenoir-elec.com/wp-content/plugins/super-forms/uploads/php/files/3feupi74odch9ahles1tl96408/zazajadamijuserutujawo.pdf
    • https://oneremote.ru/wp-content/plugins/super-forms/uploads/php/files/65e8d10d3a60d2af8c7661d71d7dbbec/27795159060.pdf
    • https://marksiegeldds.com/wp-content/plugins/super-forms/uploads/php/files/1f190637852dec319d8e3761e1cbfb88/gojofu.pdf
    • http://classicalgardenornaments.com/uplds/file/3833850198.pdf
    • http://www.alwaysflorida.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608c25a77fac4---54250652855.pdf
    • https://iamluno.com/wp-content/plugins/formcraft/file-upload/server/content/files/160740565ee384---63611714134.pdf
    • http://donghocasiochinhhang.net/uploads/userfiles/file/wajudino.pdf
    • https://www.marbelitesa.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1609b26d269ece---27091206116.pdf
    • http://entone.es/wp-content/plugins/super-forms/uploads/php/files/6e1cf8c0b96f10db061beaec1a597288/basab.pdf
    • https://skazkavdom.com/wp-content/plugins/super-forms/uploads/php/files/9f7d6181edc2aa1a980ea42cb6c38342/pitimizomubenosumek.pdf
    • https://rclurie.com/wp-content/plugins/super-forms/uploads/php/files/adf6b2f027f603347a1fa1ad89464a09/goguz.pdf
    • https://regalcabs.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1609e422a82095---57790493687.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/1xuhb7AK25c/uplcv?utm_term=how+do+i+pair+my+hunter+fan+remote+99122
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f22f.bin
3609b83189d7cd0e866421a4d6800f7c14f9cce1d393ec52377db917846042e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF22F 5568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.