Malicious PDF — malware analysis report

Static analysis result for SHA-256 53d572682828c434…

MALICIOUS

PDF

64.0 KB Created: 2021-02-15 22:10:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a857d93fdc430a160567ec9a7964e04 SHA-1: eb4b79086bd97e1973ff8b66a0b7f0237e604f64 SHA-256: 53d572682828c4349c91f727a707de792b4fcc104b921b21ff85001ff94144d6
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged by multiple heuristics as malicious, including a high confidence ML classifier and ClamAV detection. It contains an embedded URL pointing to a PDF file, suggesting it's part of a phishing or malware distribution chain. The document body, though heavily corrupted, contains text related to a thermostat manual, likely a lure to entice users to download the malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9828

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/123?utm_term=honeywell+th6110d1021+thermostat+manual
    • https://cdn.sqhk.co/selugijibix/fjfhgji/97992767656.pdf
    • http://merulabodonulu.iblogger.org/zenutumilivoxonekipubo.pdf
    • https://static.s123-cdn-static.com/uploads/4494146/normal_5ff1910ea76ac.pdf
    • http://xujukega.66ghz.com/jazaf.pdf
    • https://jubibesu.weebly.com/uploads/1/3/1/3/131379113/6190255.pdf
    • http://yogistika.space/kusitadekagiwesizizaucqgj.pdf
    • https://dapeborax.weebly.com/uploads/1/3/0/8/130813135/6285157.pdf
    • http://cz-nitrof.website/cardinal_and_ordinal_numbers_chartetu1f.pdf
    • http://stroiline74.ru/ruben_bolanos_architect1kaeq.pdf
    • https://voruvagozi.weebly.com/uploads/1/3/4/7/134742827/1861070.pdf
    • https://cdn.sqhk.co/razefudixid/v1gotgi/word_crossy_betta_games.pdf
    • https://cdn.sqhk.co/dejuxafe/K9lgi83/farm_zoo_bay_island_village_hack_apk.pdf
    • https://cdn-cms.f-static.net/uploads/4450250/normal_5fe62e310def6.pdf
    • https://vowipolijej.weebly.com/uploads/1/3/4/7/134713390/gefotanofubage.pdf
    • http://lordtrans.ru/xawurakegenebunizevew6zkrl.pdf
    • https://cdn-cms.f-static.net/uploads/4450507/normal_601dbb8498ccb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://jifigazanovew.epizy.com/altered_form_giratina_raid_counters.pdf
    • https://s3.amazonaws.com/fixararololu/61562095022.pdf
    • http://miripiwamaza.epizy.com/tracheostomy_tube_care.pdf
    • https://s3.amazonaws.com/ribowexulo/amazon_blood_pressure_cuff_manual.pdf
    • http://xusixuxoribixe.rf.gd/grade_10_math_worksheets_ontario_free.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed4e.bin
17fb6640ea9b87e4fd48823098ff17133e062416f3c4eda03a3e89d6209fc445		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED4E 5700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.