Malicious PDF — malware analysis report

Static analysis result for SHA-256 67b73e65e6e38a43…

MALICIOUS

PDF

65.4 KB Created: 2021-04-05 00:18:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b30d13120389eedbba1e62cb018c0b3d SHA-1: d0f5c419232396327ebb5438751d7d19a8e6f3ed SHA-256: 67b73e65e6e38a437f579cea6c076ff40477dd0e2552b8f68650aceb9bffec07
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URI pointing to a suspicious domain, flagged by multiple detection engines as malicious. The document body, though heavily obfuscated, appears to be a lure related to 'change management process in project management'. The primary attack vector is likely spearphishing attachment, leading the user to a malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7136

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=change+management+process+in+project+management+pdf
    • https://jasefeneg.weebly.com/uploads/1/3/4/4/134489721/275332.pdf
    • https://static.s123-cdn-static.com/uploads/4467038/normal_5ff86572b499a.pdf
    • https://cdn-cms.f-static.net/uploads/4488323/normal_6021006dc5f09.pdf
    • https://cdn-cms.f-static.net/uploads/4481280/normal_6065a459cc3a4.pdf
    • https://tukuboxux.weebly.com/uploads/1/3/4/5/134510407/b5dec8b3c.pdf
    • https://cdn-cms.f-static.net/uploads/4412900/normal_601307afed0b0.pdf
    • https://cdn-cms.f-static.net/uploads/4413967/normal_605cb87173e88.pdf
    • https://xulomonixibeneg.weebly.com/uploads/1/3/1/4/131455416/4526363.pdf
    • http://mubojumef.iblogger.org/watovupezeten.pdf
    • https://cdn-cms.f-static.net/uploads/4474205/normal_6051c1ddcacab.pdf
    • https://cdn-cms.f-static.net/uploads/4378390/normal_605d9734d022d.pdf
    • https://cdn-cms.f-static.net/uploads/4403673/normal_600e54a77ed66.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d77abe17-b9d1-4baf-a23f-76c9b5bef211/7853173500.pdf
    • http://xawuxona.epizy.com/uscg_auxiliary_form_7012.pdf
    • https://uploads.strikinglycdn.com/files/f83dcb67-f995-4a66-b7fc-df23706d022b/algorithms_in_c_robert_sedgewick_download.pdf
    • https://s3.amazonaws.com/ropuba/22267055209.pdf
    • http://dukutogesedu.epizy.com/call_of_duty_all_parts.pdf
    • http://lalexipitu.rf.gd/uc_browser_for_android_2.pdf
    • https://uploads.strikinglycdn.com/files/79480d2a-6b51-4833-9491-07e99be77734/what_restaurants_are_giving_free_food_for_veterans_on_veterans_day.pdf
    • https://uploads.strikinglycdn.com/files/6ade1253-2a13-4328-b2df-1ce82d157323/wokatowugifin.pdf
    • http://xigufogadenake.epizy.com/loguxajegadixefo.pdf
    • https://uploads.strikinglycdn.com/files/cdc05ce9-9c45-423f-abe4-e6f37ee8134c/26469192564.pdf
    • https://s3.amazonaws.com/bodajaku/71996895033.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f7aa.bin
f601f70c0c3ecff007b6e31a46a23cd7525623b48c5c248a6a4bc7b77347e82a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7AA 5520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.