Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d0af09dfbfb9027…

MALICIOUS

PDF

68.4 KB Created: 2021-02-26 21:07:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 651fd66faa24c6f5f8e9509786274df6 SHA-1: dfed0c7b2ba71f333ed78157f0a59c9c00459b4a SHA-256: 6d0af09dfbfb90270e3b32d9d5c277bb72366a30d84fe3b4a1b2781065eec177
94 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URI pointing to a suspicious URL. ClamAV and an ML classifier also flagged this file as malicious, specifically as a phishing trojan. The document body, though heavily obfuscated, appears to contain text related to the embedded URL, suggesting a social engineering lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9678

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=does+tu+in+spanish+have+an+accent+mark PDF link annotation
    • http://zugapuvu.mywebcommunity.org/english_speaking_lessons_for_intermediate_level.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417216/normal_601150fe35d6a.pdfIn PDF document text
    • https://cdn.sqhk.co/nisisepolo/WZ4Hvif/42688944378.pdfIn PDF document text
    • http://jowopejev.22web.org/47521585391.pdfIn PDF document text
    • https://cdn.sqhk.co/molavagew/55hchfp/battle_arena_toshinden_3.pdfIn PDF document text
    • http://gedadekenoz.mywebcommunity.org/xamimaru.pdfIn PDF document text
    • http://jaralet.getenjoyment.net/60925941226.pdfIn PDF document text
    • http://lalexejiwisejul.iblogger.org/cognos_11_event_studio_user_guide.pdfIn PDF document text
    • http://viwowiziboso.22web.org/39599307606.pdfIn PDF document text
    • https://cdn.sqhk.co/gikokimofegi/ih3ijbW/5314933275.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://disefubukub.rf.gd/piwemido.pdfIn PDF document text
    • https://s3.amazonaws.com/rawesaragegugar/lebutifefataseson.pdfIn PDF document text
    • http://pomigipasa.epizy.com/85577762722.pdfIn PDF document text
    • https://s3.amazonaws.com/sefabe/46733699766.pdfIn PDF document text
    • http://vefuvepux.epizy.com/impact_of_globalization_in_sri_lanka.pdfIn PDF document text
    • https://s3.amazonaws.com/mejados/metozolalosutosasin.pdfIn PDF document text
    • https://s3.amazonaws.com/toliwudalamem/grammar_practice_worksheets_simple_past.pdfIn PDF document text
    • http://denawovusu.rf.gd/anaconda_snake_photo.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f237.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF237 5264 bytes
SHA-256: da5e9332ef08abb33285ae633f7aa601a4785008feab89f78b93680a6c5683b7

Open this report in the interactive analyzer, or submit your own file for analysis.