Malicious PDF — malware analysis report

Static analysis result for SHA-256 6202bb3b1a3ebda7…

MALICIOUS

PDF

65.4 KB Created: 2021-03-09 10:07:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e21a33ecb8a5b4c0857329e577f0725f SHA-1: a5f620000e149f8c90898e6ddc85b8d69a50b365 SHA-256: 6202bb3b1a3ebda738a9fc26ac7357a1333468be6363f73835bc6f717bb4c1ed
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing attempt. The embedded URL `https://soxebez.ru/award?keyword=html+to+pdf+rest+api` suggests a lure related to an award or notification, designed to trick the user into clicking it. The document body, though heavily obfuscated, contains metadata related to HTML to PDF conversion, which might be a cover for the malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9074

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=html+to+pdf+rest+api
    • https://cdn.sqhk.co/dejuxafe/aBhcaij/setorutufatekosemuno.pdf
    • https://cdn.sqhk.co/kitujesijak/5SzqKjj/51080914654.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/semuxemakaw/31043048265.pdf
    • https://s3.amazonaws.com/gopuze/citizenship_certificate_canada_instruction_guide.pdf
    • https://uploads.strikinglycdn.com/files/7e2c52cc-1e2c-4d00-949c-1f4986d09053/how_to_open_alarm_box.pdf
    • https://s3.amazonaws.com/fewunadupop/apache_jmeter_3._1_for_windows.pdf
    • https://uploads.strikinglycdn.com/files/87199af0-b955-474c-9c11-0b0f18c7da0c/starting_your_own_podcast_network.pdf
    • https://s3.amazonaws.com/juzewojavomofew/digital_photogrammetry_book.pdf
    • https://uploads.strikinglycdn.com/files/fedb31f9-8608-4b8b-8fa7-e4e2c08d6e2e/internal_auditing_is_a_company_function_that_quizlet.pdf
    • https://uploads.strikinglycdn.com/files/e09140e9-d4be-4473-853a-8f9635227c0f/sony_bdp-s1500_region_free_blu-ray_dvd_player.pdf
    • https://uploads.strikinglycdn.com/files/eec2b939-3692-4566-9e6f-fd4ffbfec955/nikon_af-s_dx_nikkor_18-140mm_review.pdf
    • https://uploads.strikinglycdn.com/files/86ebf103-3e61-42fa-af1e-760219635a11/22397089946.pdf
    • https://s3.amazonaws.com/zosevid/when_is_the_best_time_to_go_squidding.pdf
    • https://s3.amazonaws.com/jinabisura/kudajewuxepelenerinatiw.pdf
    • https://uploads.strikinglycdn.com/files/3a2e7e42-357d-45a8-afab-5230a5771bb5/what_are_the_top_boy_names_for_2020_in_india.pdf
    • https://uploads.strikinglycdn.com/files/cf85673c-cd3a-404c-b2a7-58d3cce86ed0/96731965560.pdf
    • https://uploads.strikinglycdn.com/files/ca2fed2e-7095-4975-8087-a984986aaeb6/validation_failed_ldap_error_code_32_-_no_such_object.pdf
    • https://uploads.strikinglycdn.com/files/b21aba4d-b5d8-4610-ad36-a6fbf39e5e79/why_is_my_cleverspa_hot_tub_not_heating_up.pdf
    • https://s3.amazonaws.com/naxozelozude/bubble_shooter_app_free.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f46c.bin
eddb439f186cb2cccccc2e21040d9932ef2a665114e736ef04014af251ce60e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF46C 5148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.