Malicious PDF — malware analysis report

Static analysis result for SHA-256 4bd792c0a8e81df6…

MALICIOUS

PDF

225.0 KB Created: 2021-06-07 02:06:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 5c8f2db06060b89c5343885ce5d7a19a SHA-1: be4145e23d483483971c79be6a8cf2fa6f5111f4 SHA-256: 4bd792c0a8e81df6e07c09a62d2c065f825525fb53735050bb5bb0f5898ca3c4
96 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was detected as malicious by ClamAV and an ML classifier. It contains an embedded URL that points to a resource that is likely intended to deliver a malicious payload, disguised as a textbook solutions manual. The document's metadata indicates it was generated by wkhtmltopdf, a tool often used to create PDFs from web content, suggesting it may have been programmatically generated for phishing purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5090

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/pbw?utm_term=elementary+linear+algebra+8th+edition+solutions+manual+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4486563/normal_60270432ecf2d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4462694/normal_5fccf872f3bfe.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4420776/normal_60567ff741a8a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4493198/normal_606aace083327.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4495402/normal_6058e821ac8b0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4452400/normal_602633c35ef49.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4451955/normal_5fc8478063168.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4475866/normal_60171df972a98.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4482847/normal_602c5f8275ad9.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4465704/normal_5fcebd07b0dc4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408333/normal_6054f15f8b87c.pdfIn PDF document text
    • http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.thdl.org/http://www.thdl.org/TibetanIn PDF document text
    • https://uploads.strikinglycdn.com/files/20fa4306-92a0-4e2b-a626-01733d92e656/40100063151.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/69c50cbd-5aad-4d53-b6ac-223e5ee1dc59/12th_ethics_book_back_answers.pdfIn PDF document text
    • http://mitamugukojo.pbworks.com/f/75307593941.pdfIn PDF document text
    • http://pefagisunel.pbworks.com/w/file/fetch/144755379/38051876244.pdfIn PDF document text
    • http://goxeguj.pbworks.com/w/file/fetch/144747798/wimirifijulizo.pdfIn PDF document text
    • http://xivoxibuza.pbworks.com/f/whirlpool_wtw5000dw_service_manual.pdfIn PDF document text
    • http://xafusigivu.pbworks.com/f/88850608343.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1abe1e05-194e-46e9-b5be-29d0ed272b82/strategic_management_concepts_and_cases_16th_edition_free_download.pdfIn PDF document text
    • http://mevuteled.pbworks.com/w/file/fetch/144751692/poduwufotixifoj.pdfIn PDF document text
    • http://rupebaxo.pbworks.com/w/file/fetch/144753030/bommarillu_songs_download_sensongs.pdfIn PDF document text
    • http://mifimoruzuwo.pbworks.com/w/file/fetch/144451134/wenozejewonuwosupukejise.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlTibetanIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002f8fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2F8FD 9856 bytes
SHA-256: 8956be905d022cac79e0d8342af16a74cb9fc90652110ec44f182bc9796c80ed
font_01_sfnt_off00031662.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x31662 5848 bytes
SHA-256: 0a75421f0b0cfb69e64c0ef6c0b705aad688efb1e2ede20771e57a9957538a52
font_02_sfnt_off00032a22.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32A22 8976 bytes
SHA-256: 5f07b96a345167f8d597a4b3e1fe0e52dd7a62508af6f8e7b00de7561a89dfc4
font_03_sfnt_off00033be5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x33BE5 13920 bytes
SHA-256: 00b2131dc3f406c47d9cfaccf29ef940258fcad72bd5c74508ca8cd26bf52aac
font_04_sfnt_off00036aee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x36AEE 17316 bytes
SHA-256: bf044b3579e830da47160e501f351dca58a5729810971689317c7509afef5150

Open this report in the interactive analyzer, or submit your own file for analysis.