Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e839859d6c2c89b…

MALICIOUS

PDF

65.4 KB Created: 2021-03-22 19:40:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fca6b25d28f2e9ff8bebbb09953f7c7c SHA-1: 6bff337e5f9b571ad5c67965de0e1da3195f174d SHA-256: 4e839859d6c2c89b320fb66ef3d66f28a7cc7c16d86e7eacfa844bce8203b3a9
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by multiple detection engines, including a machine learning classifier and ClamAV, which flagged it as Pdf.Phishing.Trojan. The presence of an external URI pointing to 'leonvi.ru' strongly suggests a phishing or malware distribution attempt. No scripts were extracted, but the PDF structure itself contains embedded URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8603

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=an%25C3%25A1lise+sint%25C3%25A1tica+visual+ernani+pimentel+pdf
    • https://cdn-cms.f-static.net/uploads/4408707/normal_604cd898aaff8.pdf
    • https://static.s123-cdn-static.com/uploads/4473062/normal_5fc924ecd8845.pdf
    • http://politach.com/2875143173ohgmt.pdf
    • http://lifeit.pro/wodugiwakariwevkur0h.pdf
    • https://static.s123-cdn-static.com/uploads/4392656/normal_5fcd8ce9a2906.pdf
    • http://terem.space/luvigajewukuu8q8o.pdf
    • https://static.s123-cdn-static.com/uploads/4491152/normal_600704e55b6e8.pdf
    • https://cdn-cms.f-static.net/uploads/4392871/normal_603e8ee573bcb.pdf
    • http://wonder-ita.space/9698604283369e87.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://gonefuxirazu.rf.gd/ignou_tentative_date_sheet_2018.pdf
    • http://bavufupuvamopaf.atwebpages.com/test_de_canales_de_comunicacion.pdf
    • http://jokubamobivavum.onlinewebshop.net/73592158190.pdf
    • http://tuvixivo.epizy.com/tejojefasukerutafaloje.pdf
    • http://saderure.rf.gd/autocad_2017_student_version_free.pdf
    • http://zunuwovadete.epizy.com/volume_of_combined_rectangular_prisms_worksheets.pdf
    • http://ladurabazidema.onlinewebshop.net/caricature_drawing_book.pdf
    • http://desovizipelo.onlinewebshop.net/99603818270.pdf
    • http://xupuminepozil.rf.gd/jalodadinaxawubekasag.pdf
    • http://dozopedatofol.atwebpages.com/union_jack_bunting_template.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ddf1.bin
a336bb2e108957fbd481885884ad046341927f7402cf9c904f8928e8cab67f16		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDF1 5584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.