Malicious PDF — malware analysis report

Static analysis result for SHA-256 75917816a92edc0e…

MALICIOUS

PDF

76.3 KB Created: 2021-03-22 05:35:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 285c9132c06118d8e6d18fa04aa6c15d SHA-1: 1a67362e1d498835996de2beba77517eab5dd04c SHA-256: 75917816a92edc0e113aee7686373a056846e3265b69e283d2fdaf310601628b
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified by heuristics as potentially malicious and flagged by ML classifiers and ClamAV. The document body, though heavily obfuscated, suggests a lure related to 'catholic mass responses pdf', likely intended to trick users into visiting the malicious URL for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9164

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=catholic+mass+responses+pdf
    • http://welutotadaxol.iblogger.org/marvel_avengers_infinity_war_trailer_hd.pdf
    • https://cdn.sqhk.co/boxewemutox/fhiDdic/cinema_4d_animal_fur.pdf
    • https://static.s123-cdn-static.com/uploads/4454825/normal_60087ecae9c1a.pdf
    • https://static.s123-cdn-static.com/uploads/4462038/normal_6003c08d87c21.pdf
    • https://cdn.sqhk.co/dejuroli/he5jijh/lokazoligo.pdf
    • https://cdn.sqhk.co/vamosopon/ghflHij/73802613111.pdf
    • https://cdn.sqhk.co/petebeki/SST0gju/25472930512.pdf
    • https://cdn.sqhk.co/gojogefe/gmjaRjd/spiral_lucky_block_mod_minecraft_pe_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d57cf942-b23e-4243-b935-0fd5ce743ae3/fuziwejonobivo.pdf
    • https://uploads.strikinglycdn.com/files/2fa19b76-55e2-445f-a668-4055e1b4cba5/brother_mfc_8480dn_wireless_setup.pdf
    • https://0621cc9e-6449-4e8a-a8bd-baee9ad62a2c.filesusr.com/ugd/affb4a_4eb74ec9c52840a398240aaa3265bd26.pdf?index=true
    • https://a1d3e036-d9a1-4be1-9d2f-eedbb581cb22.filesusr.com/ugd/3ce946_003672eb72464be4b786f0f3b88c243f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a9c31e42-ec38-4961-90af-94861178cbe2/jujutovopiwugexe.pdf
    • https://02ee9779-94d6-4ec7-959f-c0f99fe19a35.filesusr.com/ugd/cdc607_1e2307ae2ebb48e2b8de89fa1aec0968.pdf?index=true
    • http://gegivunijivi.rf.gd/senod.pdf
    • https://uploads.strikinglycdn.com/files/6bb79787-be25-4ae8-a184-4cebb8d2f2df/brother_pt-1280_tape.pdf
    • http://nevozabewovezo.epizy.com/tewadajupar.pdf
    • https://857afa5c-b60b-49f6-9944-f1fd488b4d53.filesusr.com/ugd/c4dbd3_37f0e370334a4ad9b2fc02e16cca84da.pdf?index=true
    • https://uploads.strikinglycdn.com/files/248c231b-92c2-4bfd-b438-d83766a8b474/jubofumiv.pdf
    • https://dc010c70-835d-4b56-8cb0-1e1bda7cab64.filesusr.com/ugd/fb576b_82533d45f9ef4419b698dafcb56e5f86.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001008a.bin
11c564441a00701d3a47be639f0148f286af36d8ad65d861e9485510087e4358		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1008A 5208 bytes
font_01_sfnt_off00011217.bin
7694a17da7239891c3a1960faaace35433dfebbe3bb4d47da4abadb08576e92a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11217 10860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.