Malicious PDF — malware analysis report

Static analysis result for SHA-256 50ce9f41de54f29a…

MALICIOUS

PDF

48.0 KB Created: 2020-11-18 21:01:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5b31b1f187b2e189cd5008dea3fbeb6a SHA-1: 47281143add5e5a413024ad1129e4796004a293c SHA-256: 50ce9f41de54f29a97e980c58ebc7c9443b22c6a3f8b3e6ce0393d7e39e142f7
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, which is also listed as an IOC. ClamAV and an ML classifier flagged the file as malicious, indicating a phishing or trojan payload. The document body, though heavily obfuscated, contains text related to 'pokemon tower defense 2 unblocked', likely a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7816

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/123?utm_term=pokemon+tower+defense+2+unblocked
    • https://cdn-cms.f-static.net/uploads/4403131/normal_5f90e49d5e055.pdf
    • https://reninifovebomul.weebly.com/uploads/1/3/4/3/134361606/rarut.pdf
    • https://cdn-cms.f-static.net/uploads/4414848/normal_5fa59f365aa4d.pdf
    • https://gorokawuse.weebly.com/uploads/1/3/4/4/134489158/6016565.pdf
    • https://cdn-cms.f-static.net/uploads/4375075/normal_5f9b946b8d488.pdf
    • https://cdn-cms.f-static.net/uploads/4402289/normal_5fad9a35eda7c.pdf
    • https://cdn-cms.f-static.net/uploads/4372963/normal_5f899860a4df0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/66b63480-dd57-491d-adf0-de9a7dd0e82d/4356113456.pdf
    • https://uploads.strikinglycdn.com/files/7cfe676e-8261-4351-bc63-93c3b1362dd6/xopewiporafe.pdf
    • https://s3.amazonaws.com/somamere/worksheetworks_answer_key_math_problem_search.pdf
    • https://s3.amazonaws.com/kafifawono/metiruruwiwevipuv.pdf
    • https://uploads.strikinglycdn.com/files/18fbb11e-6a9a-45db-b1ce-9f3f8c179942/5040906815.pdf
    • https://uploads.strikinglycdn.com/files/ab9e8894-2c98-4624-a013-c9fa3d379c3b/manual_for_bernina_1008.pdf
    • https://uploads.strikinglycdn.com/files/b4148b86-5d42-4b51-874c-db31eb574a94/vijagavoba.pdf
    • https://s3.amazonaws.com/tetazino/99265189007.pdf
    • https://s3.amazonaws.com/sefipa/85381546310.pdf
    • https://uploads.strikinglycdn.com/files/6976bee4-0e10-41d6-923c-8a6266b8bd6f/rodovigodu.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000afbb.bin
8d36a24f16475c8bfc4a02358d382fa51635116b432dfae26711f1a235899d25		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAFBB 5384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.