Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b365019f4c17f76…

MALICIOUS

PDF

66.8 KB Created: 2021-03-04 13:04:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 3cb0d46f88308802047f54f2047c3b86 SHA-1: 6a10d59bea43fbfd1472b62b62d99606893563ec SHA-256: 6b365019f4c17f7613fe9e0557c0e06479a2b7d13ddfdf74fc804eedf793ae01
94 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to 'xezojetit.ru' which is presented in the document body as a review, a common social engineering tactic. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9557

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/award?keyword=lee+pro+1000+progressive+reloading+press+reviews PDF link annotation
    • http://metoxegid.mygamesonline.org/10896023846.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414172/normal_603bdcaeeb515.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4385648/normal_5ffd3a4022189.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4459028/normal_5fe76a18cc5ba.pdfIn PDF document text
    • http://napufokotipo.getenjoyment.net/non_destructive_testing_jobs_for_freshers.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4403561/normal_5ffbc092de3bb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4404287/normal_60307afcedbf7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4443342/normal_60395449097f9.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/jusuberu/fibreglass_sheet_nz.pdfIn PDF document text
    • https://s3.amazonaws.com/zarusegibitumet/30193353846.pdfIn PDF document text
    • http://sopazanit.rf.gd/fagodozovufazenevipe.pdfIn PDF document text
    • http://jerajunegadadu.rf.gd/where_is_the_turbo_on_a_2013_ford_escape.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e460.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE460 5412 bytes
SHA-256: c95dfdfbd52b7fc58e2bd7d8681efb6fe17f9b4a446d270ada588e4ee6f703fb

Open this report in the interactive analyzer, or submit your own file for analysis.