Malicious PDF — malware analysis report

Static analysis result for SHA-256 7895b63dd503aa09…

MALICIOUS

PDF

74.2 KB Created: 2020-12-26 19:29:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d793f2cf92e4a2a2443d2c29720853a2 SHA-1: 9ca37a0e2d36c9a9e1e43ae518489b9372ffa700 SHA-256: 7895b63dd503aa09d273f590c18887be5afefc09143c1c3333e1ca97bc43f962
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL pointing to a suspicious domain, which was flagged by heuristics as potentially malicious. ClamAV also detected the file as Pdf.Phishing.Trojan. While no scripts were explicitly extracted, the presence of an external URI and the ML classifier's output strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9402

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/strik?utm_term=red+virus+dr+mario
    • https://cdn-cms.f-static.net/uploads/4371272/normal_5fbadfdb2355d.pdf
    • https://cdn.sqhk.co/bawivurolut/haPPggI/bolarek.pdf
    • https://cdn.sqhk.co/dujujema/cfiijgo/siren_head_sound_effect_roblox_id.pdf
    • https://cdn.sqhk.co/xisiwuba/jeifkRI/18850127180.pdf
    • https://cdn.sqhk.co/ledumixifer/zmjfMji/nfl_network_youtube_tv_2019.pdf
    • https://cdn.sqhk.co/wetotuluxe/iiifhjb/jizelozisabup.pdf
    • https://cdn.sqhk.co/lokalofobox/ifaDYdH/88046214529.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/bevarolimesale/39754047339.pdf
    • https://s3.amazonaws.com/zidenigad/agenda_iphone_koppelen_met_android.pdf
    • https://s3.amazonaws.com/megelugik/data_analysis_in_excel_2007.pdf
    • https://s3.amazonaws.com/leguvefu/guvebididutakadi.pdf
    • https://s3.amazonaws.com/purixifusipelid/free_printable_letter_d_worksheets_for_preschool.pdf
    • https://s3.amazonaws.com/zewimu/ranixubapigozijenejedoxag.pdf
    • https://s3.amazonaws.com/nilafafakem/hsbc_gender_pay_gap_report_2018.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fe64.bin
3271a207df174fd8dedd6e59cf17e214ad033d5a3865cb42a15af3692bdb2486		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE64 5144 bytes
font_01_sfnt_off00011053.bin
a20ff9dac17fb3105752ea6ea6a6bb4f894737d23553602b158c7234d5b65cb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11053 5008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.