PDF malware analysis — malicious · 748aab2c11007d99

MALICIOUS

PDF

105.0 KB Created: 2021-03-30 04:28:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7b6b2161eea7a0233f51622acbb67d91 SHA-1: 325f5ebcee76f7b51506fc83bcdea804e514ab01 SHA-256: 748aab2c11007d99922adc15ab1bbf1d5885feb54a97cb80792711f828d86882

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and an ML classifier, and contains an external URI pointing to a suspicious URL. The document body, though heavily obfuscated, contains text related to 'Oxford word skills intermediate pdf', suggesting a lure to download content. The presence of multiple embedded URLs further supports the malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.5378

Heuristics 3

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ponafet.ru/award?keyword=oxford+word+skills+intermediate+pdf+%25D8%25AF%25D8%25A7%25D9%2586%25D9%2584%25D9%2588%25D8%25AF
- https://cdn.sqhk.co/vipujitebiki/hctgdEl/poggy_thorax_location.pdf
- https://cdn.sqhk.co/simizekovogi/mIhbQmM/bilderbuch_bungalow_free.pdf
- https://cdn.sqhk.co/sofaxuleruri/jhujcja/zombie_chasers_book_synopsis.pdf
- http://jaxagogilexet.sportsontheweb.net/reliance_company_balance_sheet_2020_18.pdf
- http://amsidgi.xyz/small_engine_repair_home_study_courselmpby.pdf
- http://jewuzalozegeso.iblogger.org/dogokazuku.pdf
- http://kersita.space/tatalusevivilegufft7pk.pdf
- https://cdn.sqhk.co/madufuxenuw/2BhdXgc/fifixuzulotorogazunigani.pdf
- http://znasila.ru/zombie_survival_kit_amazon7vzo6.pdf
- http://ribadubeko.scienceontheweb.net/sosapajexewa.pdf
- http://mufezupep.iblogger.org/application_octet-_stream_to_online.pdf
- http://besemafobekilir.22web.org/city_alessandro_baricco.pdf
- http://tafakiduwav.scienceontheweb.net/biology_gk_in_bengali_download.pdf
- http://pevawafo.iblogger.org/natinokekidapafad.pdf
- https://cdn.sqhk.co/viwitukaz/Zeiidja/71359115110.pdf
- http://gexopidikimo.mygamesonline.org/pci_b._pharmacy_syllabus.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://jijekoseme.epizy.com/bruce_lee_quotes_easy_life.pdf
- http://tokozod.myartsonline.com/how_do_you_clean_a_bunn_coffee_maker.pdf
- http://fonenutekosut.epizy.com/razupa.pdf
- http://zepakom.rf.gd/archicad_tutorial_download.pdf
- http://gudukiderunusu.myartsonline.com/71777254213.pdf
- http://mokineso.epizy.com/metolupunevuromapomenewep.pdf
- http://mikejalikesilal.epizy.com/35564173346.pdf
- http://dejavu.sourceforge.net
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_008_off00017e1c.bin` `27b192321e34301fdaaa6bd76cf3afdf6f8572eb3ac8df691f2d8e1c1f106972`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x17E1C	25328 bytes
`font_00_sfnt_off00012f2c.bin` `2ef70e05fcf46c20d595ff74c0a08690ea643bd08cfaad1d3b6f9cfaade382e0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12F2C	5436 bytes
`font_01_sfnt_off000141b2.bin` `44842e9a66632aaf03d9108cba7bdb700c88bdcf08116dceca034c8ffabddfcb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x141B2	10916 bytes
`font_02_sfnt_off0001676e.bin` `4a948ea811c1a74b7c6bd6f814f46aea153577de6ee997e0318dc690328e2b2b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1676E	16496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.