Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b86df9c3f5d6cd0…

MALICIOUS

PDF

57.1 KB Created: 2021-04-09 21:45:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9f4cf3a6cc488d1988f10b3669260ffd SHA-1: f052c6b6f5e38c13c800d5366a5d0c66359806bf SHA-256: 7b86df9c3f5d6cd0034a13c2e8107955367a8bd8a386aad9aefa021e6ab56fcd
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, despite some being marked as benign, suggests an attempt to redirect the user to potentially harmful content. The document body, though heavily obfuscated, contains metadata related to its creation, which does not detract from the malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9630

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.mothercare.ro/sites/default/files/webform/resumes/49428740932.pdf
    • http://www.guninetwork.org/system/files/webform/heirri_proposals/32710798707.pdf
    • https://ambrose.edu/sites/default/files/webform/20598750849.pdf
    • https://ambrose.edu/sites/default/files/webform/9027254294.pdf
    • https://www.woonsocketri.org/system/temporary/webform/51053607868.pdf
    • https://www.pharoxglobal.com/sites/default/files/webform/7322176875.pdf
    • http://spotlight-sites.com/sites/default/files/webform/sizewavajifur.pdf
    • http://www.birdlifebotswana.org.bw/sites/default/files/webform/sightings-sketches/43600748611.pdf
    • https://www.visitsavannah.com/sites/default/files/webform/fukixuliwidopisoduzurapi.pdf
    • https://ambrose.edu/sites/default/files/webform/2306024917.pdf
    • http://oaklandchildcare.org/sites/default/files/webform/ponezilineg.pdf
    • http://www.grotekeukens.be/sites/default/files/webform/gmawards2018/30150103061.pdf
    • https://ambrose.edu/sites/default/files/webform/kepasibadugemefobovabo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1xuhb7AK25c/uplcv?utm_term=market+basket+analysis+in+r
    • https://campusrec.princeton.edu/system/files/webform/putiwokareviwe.pdf
    • https://gradfutures.princeton.edu/system/files/webform/xafuzekimizitigemuseli.pdf
    • https://community.princeton.edu/system/files/webform/wijudabopijobomoxusosul.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d320.bin
ea2a183214d2663c8a6fe8409bb06b56b7816eacf102a92a3eee8f793a52c12b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD320 4988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.