Malicious PDF — malware analysis report

Static analysis result for SHA-256 4bb6ddf4677424fd…

MALICIOUS

PDF

65.2 KB Created: 2021-06-01 02:42:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ec8959056e04b3e7597ec20da408fb41 SHA-1: 92b08d256daae95851c4abb539d816ffde5bdfe1 SHA-256: 4bb6ddf4677424fdb0edfb3d363e7da8e94fc13f2b9da3a95ad586594ed77373
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains multiple embedded URLs pointing to PDF files hosted on various domains, suggesting a phishing or malware distribution campaign. The presence of a PDF_URI heuristic further supports the analysis of external URI usage within the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8608

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.virtualaid.eu/wp-content/plugins/formcraft/file-upload/server/content/files/16088e943bf80c---zumasizopeduvewuw.pdf
    • http://www.myhhsi.com/wp-content/plugins/super-forms/uploads/php/files/68e022810386944fb6f103e47e575a60/vatirez.pdf
    • https://kolodezrus.ru/wp-content/plugins/super-forms/uploads/php/files/f8574619ff2c7782983709e58844e160/lafozuwixalopudo.pdf
    • http://alternativefitness.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160809204c7ecd---50189002217.pdf
    • https://bursaceviritercume.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d7eaca912d---jakugematixowogelem.pdf
    • https://www.darrellstuckey.com/wp-content/plugins/formcraft/file-upload/server/content/files/160763acdc665e---59533794059.pdf
    • http://vasilii-orlov.fun/wp-content/plugins/super-forms/uploads/php/files/8388ff0863a345413f00b64fe97059af/tumagexopusa.pdf
    • http://themultifold.com/wp-content/plugins/super-forms/uploads/php/files/j81uat2hhkdl97q3c4t36eb090/88813659457.pdf
    • http://3duct.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a080622742f---gimanasiguweluvupanadop.pdf
    • https://sunarchegypt.com/userfiles/file/rirefoxiranodapikuxoz.pdf
    • http://www.medicalalliedtraining.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ef3f39126e---59708910507.pdf
    • https://earthideasawnings.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078fac29c982---24867321882.pdf
    • https://wills.sg/wp-content/plugins/super-forms/uploads/php/files/c80cf87d11070d9c3373f6dd599d614e/59522369484.pdf
    • https://glosunspa.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a66e1a039c8---bewif.pdf
    • http://pulsrmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/160774d68e7786---mexadapufokumem.pdf
    • http://argra.rs/wp-content/plugins/formcraft/file-upload/server/content/files/16083f497917d0---kavifejixepi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/DOqCt-cVA4I/uplcv?utm_term=what+is+the+food+handlers+test
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9ba.bin
703296fa4f48b6dd1140da8f662b3b5463a64fe7f83c3306f44a0b8569d8f473		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9BA 5008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.