Malicious PDF — malware analysis report

Static analysis result for SHA-256 69c6850202c3d6c1…

MALICIOUS

PDF

73.6 KB Created: 2021-03-16 04:17:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a351a2ecf2979cd3a3c66021079941cd SHA-1: cd5337a89e22e63d2a28fa53f13c8cf8d72ed977 SHA-256: 69c6850202c3d6c1bff0ea18fe08925b7cc8a464ff0ebbf5028fedea1a7d41ab
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file is detected as malicious by ClamAV and an ML classifier, and it contains an embedded URI pointing to a URL that is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, contains text that suggests a lure related to a 'Cubs schedule 2020 pdf', intended to trick the user into downloading a malicious payload. The presence of embedded URLs and the overall malicious detection strongly indicate a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7018

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/award?keyword=cubs+schedule+2020+pdf
    • https://cdn.sqhk.co/fidapulano/gRZjeBg/bapuxipuraburuparog.pdf
    • http://abouts.space/90422640ui86f.pdf
    • https://falopizesolirod.weebly.com/uploads/1/3/1/3/131379111/lolipoxa.pdf
    • https://jodutofafedabaf.weebly.com/uploads/1/3/1/4/131452959/nuxidinofigusakikex.pdf
    • https://cdn.sqhk.co/suxujaba/Gqgh9ib/draw_story_game_online.pdf
    • https://cdn.sqhk.co/vasinabew/fHyyqBJ/riwedizujararusuxuda.pdf
    • https://cdn.sqhk.co/joxipadij/iSibYwj/hmrc_grant_claim.pdf
    • https://cdn.sqhk.co/mipijotom/cQgdDhe/regulated_capitalism_definition_ap_world_history.pdf
    • https://jewelilug.weebly.com/uploads/1/3/4/3/134331877/5004b92d8f3.pdf
    • http://runmasten.online/ancient_japanese_sword_fighting_styles559jl.pdf
    • http://procripton.com/wedding_invitations_free_templates_for_wordhncl9.pdf
    • http://bathforlegs.xyz/moketodrqwse.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e6b56e3c-1b88-4cfb-972d-ab1702b0a06e.filesusr.com/ugd/8c0e65_9987f954b08d43cd866a8e6353dba1e4.pdf?index=true
    • http://zaxalamel.rf.gd/guided_reading_level_r_books.pdf
    • https://s3.amazonaws.com/xuvamuba/tewesodupe.pdf
    • http://daroxupotebaliw.rf.gd/655299318.pdf
    • https://5c2cca0d-3a4e-48b0-93bf-8ac6c0c026cb.filesusr.com/ugd/271e65_6d3ebda6e8334007a05c4b75d20897c0.pdf?index=true
    • https://32e47638-7206-44c1-ad53-5c6f9176402e.filesusr.com/ugd/e00742_0c472917eaf74143b3ad2ccd521fc626.pdf?index=true
    • http://lotarikavim.rf.gd/zmodo_camera_login.pdf
    • https://s3.amazonaws.com/varoximu/gawaporikefudunuto.pdf
    • http://fasilew.epizy.com/62194096288.pdf
    • https://s3.amazonaws.com/tigovatolis/self_certification_sick_note_form_uk.pdf
    • https://s3.amazonaws.com/tuxalowafokuvo/bewozolebitela.pdf
    • https://s3.amazonaws.com/kudowo/betraying_the_martyrs_phantom.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1bc.bin
8ba4327bb034d87726aa6df929aaf32b624dc0c1489b8be4ecd2dd0826da10c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1BC 5256 bytes
font_01_sfnt_off00010395.bin
20adb9b99523126d9b2f5914bab0ce205186b42154a13bbaf991eeacd2f594ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10395 10744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.