Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f2e7bdfc38d4741…

MALICIOUS

PDF

46.2 KB Created: 2021-03-18 09:26:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 295d4805632737cd637668d84e4afaac SHA-1: 178bffa8d01b0b0cc3745dbce23270f571dfe4b2 SHA-256: 5f2e7bdfc38d47412d6e0b453d938902c56a5ce091f43882ff556a318f44025f
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file is identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing lure due to its image-heavy nature and embedded external URI. The heuristic PDF_IMAGE_LURE indicates a common tactic where a screenshot is used to hide a clickable element leading to an attacker-controlled URL. The embedded URL, https://crophysi.ru/award?keyword=mla+referencing+style+pdf, is the primary indicator of the malicious intent, likely serving as a landing page for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7623

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 46 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=mla+referencing+style+pdf
    • https://static.s123-cdn-static.com/uploads/4372735/normal_5fc60c9735d89.pdf
    • http://reassurez-moi-fr.info/electrical_calculations_cheat_sheetrasu0.pdf
    • https://static.s123-cdn-static.com/uploads/4380213/normal_60031d5da800d.pdf
    • http://videohost.space/tumudujuxuxxtu8v.pdf
    • https://cdn.sqhk.co/wagomito/atchg9t/16351793237.pdf
    • http://center-about.com/teachers_first_credit_union_mortgage_ratesoj7x6.pdf
    • http://onsideball.info/723945737693l8ec.pdf
    • http://vizit.store/how_to_remove_jvc_kw-r910btlp62x.pdf
    • http://ig-copyrightnotice.com/ejercicios_de_porcentajes_para_secundariagfu24.pdf
    • https://cdn.sqhk.co/davusegeb/Xhb0Iif/32019172630.pdf
    • http://opit.space/stc-1000_manual_espaolwg9vb.pdf
    • https://cdn.sqhk.co/dezorevukor/t5QLWib/musulowevomes.pdf
    • http://haustova.com/gba_emulator_pro_apkrirq8.pdf
    • https://cdn-cms.f-static.net/uploads/4392215/normal_602534a69ca72.pdf
    • http://goldalbum.ru/44714926711p1fqv.pdf
    • http://petrol-v-pol-price.site/babetowaperofe004hf.pdf
    • https://cdn-cms.f-static.net/uploads/4492901/normal_602f606a8955c.pdf
    • https://cdn.sqhk.co/lulaxujik/AngdjeO/fedoxa.pdf
    • https://da5bec28-7969-4117-8ffb-5069fce5e80c.filesusr.com/ugd/31593d_c7f427b5da604b738801d344a41661a1.pdf?index=true
    • https://729282ec-1290-4cbc-9302-cf8a24acd4c7.filesusr.com/ugd/42c189_666ae275812548d4b8aebcb8938bdc8f.pdf?index=true
    • https://f6e2a16f-d004-42cd-8f17-0463e090774c.filesusr.com/ugd/c70c35_94ee3712ff434dff8925e55ce8b9f0df.pdf?index=true
    • https://807eaacf-9fb6-4e16-bcb8-061395d1d132.filesusr.com/ugd/a3ef2e_de5b0b2bb84345109996e81737ad49b8.pdf?index=true
    • https://1794ee33-230d-455b-98b1-84d48067edce.filesusr.com/ugd/551769_2e26abd1f6024aa5a12c543217d8d42d.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.