Malicious PDF — malware analysis report

Static analysis result for SHA-256 62ab9f78ef8d3215…

MALICIOUS

PDF

84.6 KB Created: 2020-11-20 17:24:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6d5ff4bd3ecf995a4e7dd267769889f8 SHA-1: ac3c10185775107f14da23014927aa207411a20e SHA-256: 62ab9f78ef8d32159012c30415e27ebe1cdb5c6128f716d0b3506dc58005c0d9
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, suggests a lure related to 'Cag full form in kannada'. No scripts were extracted, but the presence of embedded URIs and the overall detection profile strongly suggest a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9450

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?utm_term=cag+full+form+in+kannada
    • https://manomukujoputu.weebly.com/uploads/1/3/4/5/134517900/gekaponevadasow.pdf
    • https://zomomawiwupid.weebly.com/uploads/1/3/4/3/134385308/bejemonetinapadew.pdf
    • https://movulejovem.weebly.com/uploads/1/3/4/4/134470355/4730331.pdf
    • https://cdn-cms.f-static.net/uploads/4379719/normal_5f8da1b5293dc.pdf
    • https://wirufaxiferid.weebly.com/uploads/1/3/4/5/134599318/7303094.pdf
    • https://cdn-cms.f-static.net/uploads/4366347/normal_5f96c3fd27f9d.pdf
    • https://cdn-cms.f-static.net/uploads/4374522/normal_5fad555908a2d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a9ebed0f-9656-4567-af15-0f466c9b0d84/mitifosofigobifasokiz.pdf
    • https://s3.amazonaws.com/pulavokaxe/23056906943.pdf
    • https://uploads.strikinglycdn.com/files/4548bc72-30fa-424f-acf0-730c1b935c70/44882031063.pdf
    • https://uploads.strikinglycdn.com/files/8a20580c-91ce-4191-b1f6-503410a72021/classe_vo_nmero_turnitin.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011d92.bin
93fe139c9cea6d15824746c2cd68c678f8659b81ea6ae2424bf7621e11b25073		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D92 4820 bytes
font_01_sfnt_off00012dd4.bin
c62be684e2cbd0f62605b25d2876f55800ef45cb2a315a4cda410ed433772753		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DD4 11552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.