Malicious PDF — malware analysis report

Static analysis result for SHA-256 721ba25da7b1dd49…

MALICIOUS

PDF

77.2 KB Created: 2021-05-19 12:52:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 897b03acb651eeab9f7c768fa2b7e662 SHA-1: 8bfdb25b4b317700aefb67d7fa549cd52a217f4d SHA-256: 721ba25da7b1dd493d78a1fdd0125ce1aca118cda17876be0bbd65d1256420be
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL. ClamAV and ML classifiers identified this file as malicious, specifically as a phishing trojan. The embedded URL likely leads to a phishing page or a further malicious download, attempting to trick the user into interacting with malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8823

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/strik?utm_term=why+is+relationship+building+so+important
    • https://static.s123-cdn-static.com/uploads/4369648/normal_5fc59090e848a.pdf
    • https://static.s123-cdn-static.com/uploads/4383921/normal_60015637c3130.pdf
    • https://cdn-cms.f-static.net/uploads/4393019/normal_602cedf540980.pdf
    • https://cdn-cms.f-static.net/uploads/4378381/normal_606b5739f3db6.pdf
    • https://cdn-cms.f-static.net/uploads/4378175/normal_60537a187bfb4.pdf
    • https://cdn-cms.f-static.net/uploads/4450439/normal_606e751c13bed.pdf
    • https://static.s123-cdn-static.com/uploads/4386073/normal_5ff221956a706.pdf
    • https://static.s123-cdn-static.com/uploads/4393904/normal_5fc86bed82c75.pdf
    • https://cdn-cms.f-static.net/uploads/4475854/normal_6056f3364e396.pdf
    • https://static.s123-cdn-static.com/uploads/4389801/normal_5fe0525eb3a09.pdf
    • https://static.s123-cdn-static.com/uploads/4366305/normal_5ff8100d2e81b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/sulasatevirexo/72026445953.pdf
    • https://uploads.strikinglycdn.com/files/dcfcd2e4-d035-4729-852a-ab08116a92cf/nalc_contract.pdf
    • https://s3.amazonaws.com/nijosinizo/plan_y_programas_de_estudio_2011_tercer_grado_secundaria_matematicas.pdf
    • https://s3.amazonaws.com/tanikanaw/holland_america_cruise_history_report.pdf
    • https://s3.amazonaws.com/firigugixujotov/74126938750.pdf
    • https://s3.amazonaws.com/niporofez/91471298929.pdf
    • https://s3.amazonaws.com/dubiditiginowo/300_blackout_180_gr_subsonic_load_data.pdf
    • https://uploads.strikinglycdn.com/files/31021d70-38cc-4fe2-a2e3-ea8b1102d898/vututifuvukunizaterunizes.pdf
    • https://s3.amazonaws.com/sezebepit/mini_clavier_bluetooth_azerty_android.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010807.bin
feae435aa581af9b907119ebc227089676c811078254ef7d60ca1b6eeb693d46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10807 5628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.