Malicious PDF — malware analysis report

Static analysis result for SHA-256 5dd56bc34b881332…

MALICIOUS

PDF

63.7 KB Created: 2021-06-01 16:31:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c5462815baf879e4b68519f2bc481fa4 SHA-1: ffbf4ae50b9896ab1cf6de9690bbecdf4f79af56 SHA-256: 5dd56bc34b88133238da1052624a94b3d3c93b68dedda48aa71458d1faa0c20a
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged as malicious by multiple heuristics and an ML classifier. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing or malware distribution site. No scripts were extracted, but the presence of an external URI suggests an attempt to download a second-stage payload or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9774

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/pbw?utm_term=curses+hexes+and+spells+daniel+cohen
    • https://cdn-cms.f-static.net/uploads/4423145/normal_606e1e673b6b0.pdf
    • https://cdn-cms.f-static.net/uploads/4496602/normal_603ae7f2c2197.pdf
    • https://cdn-cms.f-static.net/uploads/4381528/normal_6037f8fa0ae6a.pdf
    • https://cdn-cms.f-static.net/uploads/4462986/normal_602964667c07c.pdf
    • https://static.s123-cdn-static-d.com/uploads/4447253/normal_60b0618256ef3.pdf
    • https://cdn-cms.f-static.net/uploads/4384026/normal_5fe97fe85226c.pdf
    • https://cdn-cms.f-static.net/uploads/4379486/normal_60662b21f0eac.pdf
    • https://cdn-cms.f-static.net/uploads/4367296/normal_606a87f12cd16.pdf
    • https://static.s123-cdn-static.com/uploads/4480904/normal_5fcb90d8513c3.pdf
    • https://cdn-cms.f-static.net/uploads/4391037/normal_6037f5020a8fd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zexowisam.pbworks.com/f/is_r6_insulation_worth_it.pdf
    • http://niwomif.pbworks.com/f/48693249041.pdf
    • https://uploads.strikinglycdn.com/files/ca3d1138-3b5a-4727-ab57-65495970f4ec/labelele.pdf
    • https://uploads.strikinglycdn.com/files/eb95c640-926f-472d-a29d-1322ff6d2c39/47469850715.pdf
    • http://siruzosu.pbworks.com/f/where_can_i_buy_dog_food_for_cheaper.pdf
    • http://vugufosenene.pbworks.com/f/name_the_horror_movie_picture_quiz_answers.pdf
    • https://uploads.strikinglycdn.com/files/c5f78ee4-0858-4432-9d11-78b85cfc55ce/text_structure_meaning_in_english.pdf
    • https://uploads.strikinglycdn.com/files/0447e008-dcd4-4c37-96f3-c97ea9c407c1/kebowefibifapax.pdf
    • https://uploads.strikinglycdn.com/files/0e7a1dbf-0034-4612-b283-cea8dea29c06/ipod_touch_4th_generation_glass_replacement.pdf
    • http://xofitesu.pbworks.com/f/why_socialism_book.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf7a.bin
99145121efb32dffaded83dec7a4917ce246c53f98217c1e397e5b6a7b02fc44		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF7A 5052 bytes
font_01_sfnt_off0000e09a.bin
adc886fa3d021f6ae70cf2353cbfbf8b18d41ff23c97d0906734f25d0651d0b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE09A 10528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.