Malicious PDF — malware analysis report

Static analysis result for SHA-256 739a3b343fd7a0b3…

MALICIOUS

PDF

283.2 KB Created: 2021-03-10 21:04:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03befcc3654a72f52f7644140ed48c38 SHA-1: feb6d203f28e1462e6b0587ba51e7950a1386d86 SHA-256: 739a3b343fd7a0b377e08ff97a7059f1bfafa54774a9b260cc49f7dfa0e36475
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of external URLs suggests an attempt to lead the user to a compromised resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9481

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=are+brittle+stars+poisonous
    • http://animoney.xyz/71060150080h4lfc.pdf
    • http://wigageturuv.mywebcommunity.org/49844833810.pdf
    • https://cdn-cms.f-static.net/uploads/4367914/normal_60357eb19ba64.pdf
    • https://static.s123-cdn-static.com/uploads/4417429/normal_5fc69ed5e5fb2.pdf
    • https://cdn-cms.f-static.net/uploads/4403674/normal_603bdcd31bd08.pdf
    • http://xevamoz.mygamesonline.org/67593407428.pdf
    • https://cdn-cms.f-static.net/uploads/4413362/normal_5fe995129d1dc.pdf
    • https://static.s123-cdn-static.com/uploads/4530070/normal_5ff67dc1ed6b4.pdf
    • http://lbaranaydin.com/39815712469jewa8.pdf
    • http://gisoboxizaza.mygamesonline.org/survival_kit_items_for_natural_disasters.pdf
    • https://static.s123-cdn-static.com/uploads/4422640/normal_5ff543328dd89.pdf
    • https://cdn-cms.f-static.net/uploads/4403260/normal_6042f6d1b5dd7.pdf
    • http://eroganoficial.site/internet_manager_keys_20192pb4f.pdf
    • https://cdn-cms.f-static.net/uploads/4449998/normal_6027f6929aff0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/aef9d683-cf86-4ea0-94c4-860cd915f5b5/simcity_4_deluxe_mac_download_free.pdf
    • https://uploads.strikinglycdn.com/files/f06670d9-b15b-47e9-8d42-650050b20e90/kikofabuv.pdf
    • https://uploads.strikinglycdn.com/files/5bc8f170-00b5-41e2-b421-8a7abf757eb4/rozolugijomirop.pdf
    • https://bdc3fad0-85dd-4e34-85f7-620d54d4ff6f.filesusr.com/ugd/10cedf_841d4bde283046f9995f3d0aef7856f0.pdf?index=true
    • https://2f2ab42d-e0b4-4bd3-aa50-2430da1ff5fc.filesusr.com/ugd/eaf48f_663ff1e13c4a4d5095413dc5f4855c35.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7d437777-2e54-4855-b826-d639950f903d/zonebatofelubudul.pdf
    • http://romakilax.myartsonline.com/kabbalah_black_magic.pdf
    • https://uploads.strikinglycdn.com/files/a2881d7c-e219-4de3-9abf-a37e6f11db7a/the_better_angels_of_our_nature_lincoln.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00043ad4.bin
4de09fe4a600a12674409a7625a781eaf7f84472c85cd514641dff2f6a958c71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43AD4 4944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.