Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b190cd3e46a9b53…

MALICIOUS

PDF

62.7 KB Created: 2021-03-19 13:45:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e2ef0dd1ca839a0c1d4d43808af866b SHA-1: 8e11b1fb14e21a1be112b8bc195eadeeade48202 SHA-256: 5b190cd3e46a9b533492239ebde926cd048b1dad9897d60ae5f78300ddc69328
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, pelibifir.ru, which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, contains text related to 'Balinese culture pdf' and the authoring application 'wkhtmltopdf', suggesting a lure to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9733

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=balinese+culture+pdf
    • https://cdn-cms.f-static.net/uploads/4369499/normal_602922760ae7a.pdf
    • http://fexuvukenix.22web.org/alliance_x_empire_equipment_guide.pdf
    • https://cdn-cms.f-static.net/uploads/4492281/normal_602d5eb95b7b3.pdf
    • https://kiwakobomu.weebly.com/uploads/1/3/1/4/131482833/507209.pdf
    • https://genamimiwovem.weebly.com/uploads/1/3/1/6/131636881/tovekakixabix.pdf
    • https://cdn-cms.f-static.net/uploads/4374002/normal_5fd1e33dbdd6d.pdf
    • https://static.s123-cdn-static.com/uploads/4366665/normal_6001a7e39d8ee.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/ragejufa/serunuve.pdf
    • https://uploads.strikinglycdn.com/files/cddb850e-91fe-4f00-82bd-9da715c27bcd/que_causa_punzadas_en_el_cuerpo.pdf
    • https://uploads.strikinglycdn.com/files/b3318404-80f5-4c52-944b-927e60e06010/folk_and_popular_culture_ap_human_geography.pdf
    • https://s3.amazonaws.com/tazopaju/azar_gems_hack_android.pdf
    • http://givemuzod.epizy.com/charlie_rose_hollywood_reporter.pdf
    • https://uploads.strikinglycdn.com/files/fadcd396-c753-4af1-bee9-fbefff79e383/american_megatrends_bios_boot_from_usb.pdf
    • https://uploads.strikinglycdn.com/files/2c83c26f-7df7-4f45-b737-b8fbcdb2017b/ghatna_chakra_english_book_free_download.pdf
    • https://uploads.strikinglycdn.com/files/5a122227-94c4-42f7-9252-412ad55301ed/75685311815.pdf
    • https://s3.amazonaws.com/mubemutolewe/not_your_barbie_girl_ringtone.pdf
    • http://zobibeki.rf.gd/birthday_party_photos.pdf
    • http://rilokewatufev.rf.gd/akcent_my_passion_ringtone_free.pdf
    • https://uploads.strikinglycdn.com/files/ace47de3-a830-4216-8687-a366b48df5ff/lexus_gx_460_lease_forum.pdf
    • https://uploads.strikinglycdn.com/files/5c729624-0132-410c-9ccc-28f40066c3a8/what_does_lux_mea_mean_in_latin.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc7e.bin
34bd4d5912e8353558c6c5b7aab7ea36c9e32ce217a85d8741baaee356de2acc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC7E 5200 bytes
font_01_sfnt_off0000de3e.bin
986dc9fb9175b1cdf1983fcb0e641db12b45163f58110d2b8ec81cbcb69d77ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE3E 10300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.