Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c23530f16081845…

MALICIOUS

PDF

76.3 KB Created: 2021-04-01 15:05:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8c578e73543c9b6246630d731836684 SHA-1: e6d6a41dd62a94501f7a96816ba34209d8d1baca SHA-256: 7c23530f16081845dca25b9c82b37ff8f7c3ec3155808d94a2ab6afcb7194c7f
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing or malware distribution site. The document body, though heavily obfuscated, suggests a lure related to educational notes, a common tactic for phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9161

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=biomolecules+biology+class+11+notes+pdf
    • http://chisto-chisto52.ru/bozuvidq2lc4.pdf
    • http://chatik85939775.fun/corte_bob_rectomib9v.pdf
    • http://vinnipoh.fun/fiwijutvcif.pdf
    • http://donbetosstreettacos.com/human_body_temperature_app5tyxu.pdf
    • http://qrettalq.online/52512188317o9q2y.pdf
    • http://jewlgems.com/cuanto_es_8_1_2_pulgadas_en_centimetrosu1qgo.pdf
    • http://wersita.space/jofusejuki63ss.pdf
    • http://bupro.asia/waridisitowijubaveyid8s.pdf
    • http://reduslim-sito.site/65705836841xxnkx.pdf
    • http://nenusarawamis.22web.org/ill_be_there_to_save_the_day_superman_has_nothing_on_me.pdf
    • http://tokio-2020.fun/wosomop93f81.pdf
    • http://verifiedbadge-lnstagram.com/34836397248iz3w4.pdf
    • http://ottics.ru/ernest_holmes_science_of_mindxwuit.pdf
    • http://gratoramaa.space/android_studio_requirements_ubuntugf87x.pdf
    • http://pss77.ru/what_does_having_an_ankle_bracelet_meanc0rin.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/cc707100-185a-465b-8784-56e4b11b1dd5/renuxepezapudo.pdf
    • https://uploads.strikinglycdn.com/files/0660ef44-0f49-4fd9-81a1-ec593ed0db5d/jokutogo.pdf
    • https://uploads.strikinglycdn.com/files/85b3d20f-afe9-4f26-8a4c-72e557566a21/how_to_set_a_casio_wave_ceptor_watch.pdf
    • https://uploads.strikinglycdn.com/files/66593bd7-0958-48b7-b712-4a54cc247fff/what_are_the_5_stages_of_group_dynamics.pdf
    • http://kepemusodokiwif.rf.gd/affine_transformation_python_implementation.pdf
    • https://uploads.strikinglycdn.com/files/7f4caf3c-3de3-459b-8f50-38a0110617bd/nikon_coolpix_s33_sd_card.pdf
    • https://uploads.strikinglycdn.com/files/5b34491e-2cb9-4fb5-9ec2-49ba7f4478a1/xogajaguberikajevovad.pdf
    • https://uploads.strikinglycdn.com/files/ced4ff52-74e7-4769-942b-d287b25ec6d9/les_miserables_musical_cast_2020.pdf
    • https://uploads.strikinglycdn.com/files/06c65654-ad62-40a4-ab39-9d95ea552ed0/what_age_baby_einstein_jumper.pdf
    • https://uploads.strikinglycdn.com/files/3018868f-ccfb-4072-a453-8614abfdefde/1456953685.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000105e2.bin
c7294b9c213be5c7999b8c8c00dac8166f31104acc98132d8aecca51955ded89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105E2 5724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.