Malicious PDF — malware analysis report

Static analysis result for SHA-256 575c2c527367a250…

MALICIOUS

PDF

116.0 KB Created: 2021-03-31 02:45:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8fabb554a81eb0482bbff30a50e5eaa6 SHA-1: 9465ec9f776af95c228b319d06cd157e4d9bb259 SHA-256: 575c2c527367a250b20564fd1a38e59f59f42a093012081cb321b8289b40a749
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to deliver a secondary payload or redirect the user. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create malicious documents.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6844

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=arte+contemporaneo+en+mexico+pdf
    • https://nokajadum.weebly.com/uploads/1/3/4/8/134887388/nalare-mufidunutip-bawinige-vabipozinotipol.pdf
    • http://dezimazokuxulil.mygamesonline.org/45572749067.pdf
    • http://jawunefuda.mygamesonline.org/77254052372.pdf
    • http://tolujupa.22web.org/ky_odometer_correction_form.pdf
    • https://gemiporelowagi.weebly.com/uploads/1/3/0/7/130775846/714f1fbcfa.pdf
    • https://mewifukemi.weebly.com/uploads/1/3/4/7/134764424/2269092.pdf
    • https://cdn.sqhk.co/remezebona/bJ9szig/biwefopuvavudutowexaxegog.pdf
    • http://nuvekediporere.22web.org/appendicitis_articles.pdf
    • https://dupizonax.weebly.com/uploads/1/3/1/3/131380343/boridaze_nedavokenum_xiguga_valojitevesi.pdf
    • http://pimifawimonidij.mywebcommunity.org/definicion_de_arritmia_cardiaca.pdf
    • https://static.s123-cdn-static.com/uploads/4484364/normal_5ffd9f433439f.pdf
    • https://cdn-cms.f-static.net/uploads/4481852/normal_600a00a8246fe.pdf
    • https://cdn.sqhk.co/kibukumivu/bdgdcD4/flannel_sheet_set_for_toddler_bed.pdf
    • https://zajebujop.weebly.com/uploads/1/3/4/9/134902249/7fe2ebc0ce.pdf
    • http://tigafik.mygamesonline.org/98454849376.pdf
    • https://cdn-cms.f-static.net/uploads/4484821/normal_605f5b4be6d66.pdf
    • https://cdn.sqhk.co/jotapepikota/a85dvgf/85377607673.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://mojenuj.atwebpages.com/zitofosiparoletodad.pdf
    • http://xetatiwu.rf.gd/37335110572.pdf
    • https://d05b2b94-0af3-401c-a6ef-75d00d0b58ae.filesusr.com/ugd/3bca44_fdabab99a35f404eaf79e0c673f2dcd4.pdf?index=true
    • http://bunisanabasa.epizy.com/nusit.pdf
    • https://1423d76f-a56f-4481-bf87-726e17039346.filesusr.com/ugd/14aee2_3a7894992f794ef6a623c3e236ad8a14.pdf?index=true
    • http://gowesano.epizy.com/entrepreneurship_and_business_management_n5_study_guide.pdf
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012b1a.bin
08e4811ebda8e6a6c1a69fbcef783c4daad1299c249b690d143a2a57ca9ffc79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B1A 7624 bytes
font_01_sfnt_off00013f0c.bin
0c7ea897c09dc22ba0f7e3ae756e672809c2e420c3676e80d3e4c48457976329		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F0C 5148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.