Malicious PDF — malware analysis report

Static analysis result for SHA-256 586709af3d9f2fa4…

MALICIOUS

PDF

64.3 KB Created: 2021-05-29 15:29:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1aec482830f715c4fcebc27702dea528 SHA-1: 121bbda414ddfff7cea8d368d3c8be822d70b1b2 SHA-256: 586709af3d9f2fa49da3862805243792d085a834ae1ec99eb44b4ebebc6d6f00
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is a malicious PDF detected by ClamAV and an ML classifier, indicating it's designed to exploit vulnerabilities. The document body, though partially corrupted, suggests a lure related to sneaker sizing, likely to trick users into interacting with malicious content. The presence of multiple embedded URLs points towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8681

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://schreinerheusi.de/wp-content/plugins/formcraft/file-upload/server/content/files/1608d53afeda90---35341148756.pdf
    • https://www.capitalroofingct.com/wp-content/plugins/formcraft/file-upload/server/content/files/16074368f16553---vekunepugelokejiponaja.pdf
    • https://krimgranit.ru/wp-content/plugins/super-forms/uploads/php/files/201e9fe27ce1ab507edda79ef58f3c4f/65309392839.pdf
    • http://xn--80aafkqcanfpgnhbng3b5i9a.xn--p1ai/pict/file/lopefunuk.pdf
    • https://www.thecandystoresudbury.com/wp-content/plugins/super-forms/uploads/php/files/ue544l2a42k2qffs0knil7vum3/zawesilekotevoribanixa.pdf
    • http://xn--80ackbssfuieecff0e8c.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/m9ekbq8t8b6a2io01sm5hpu0m3/29511299575.pdf
    • https://www.novet.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a187855b0b4---gezazurevewog.pdf
    • https://www.democratum.com/wp-content/plugins/super-forms/uploads/php/files/04d3267e58b4b8c48389e5c3e288bf14/wixaluxewajami.pdf
    • http://boulderdivorcelaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/160882b4534d18---dijejapiferosipatanix.pdf
    • https://www.penyembuhanholistikreiki.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a7723f4186---7428072784.pdf
    • https://detectiveoffice.net/userfiles/file/9094477930.pdf
    • https://christianboudreau.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f6808a51d7---16392943835.pdf
    • http://www.wallisandemmanuel.com/wp-content/plugins/formcraft/file-upload/server/content/files/16073aba069162---99491230720.pdf
    • https://bluetact.com/locktactyuma/userfiles/file/5406169334.pdf
    • http://mko-yug.ru/wp-content/plugins/super-forms/uploads/php/files/cb85247620c0ecdffa306b99ac15f68b/guzupawurupewidike.pdf
    • https://admonks.ru/wp-content/plugins/super-forms/uploads/php/files/fbb9c1fc7d1df935fa8a4e838779ad63/rarubegupofesuxota.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/GLLx1DTH0VQ/uplcv?utm_term=what+size+to+get+in+yeezy+700+v3
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebd6.bin
6c3fdfe7852c63e8d25fb563a18ffe245f11f2598f6a3599d94cf2301126d377		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBD6 5432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.