Malicious PDF — malware analysis report

Static analysis result for SHA-256 8222899b9f43e694…

MALICIOUS

PDF

55.7 KB Created: 2021-03-25 09:21:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2034c76881306ccb0f945b8ec0631625 SHA-1: 84315e568150617ef232394c17873a66db60a5b0 SHA-256: 8222899b9f43e6940f2c62496c059c4bfe0c406e4fdd25c241b59270ad15bc9e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains an embedded URI pointing to a suspicious domain, disguised as a 'Ryanair boarding pass' search. ClamAV and ML classifiers flagged this file as malicious, indicating a phishing or trojan-like behavior. Although no scripts were explicitly extracted, the presence of external URIs and the nature of the embedded text suggest an attempt to redirect the user to a malicious site for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7499

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=ryanair+boarding+pass+pdf+smartphone
    • http://lulopoboxefon.scienceontheweb.net/malatidesolipamokuw.pdf
    • http://wivevadevenumet.mywebcommunity.org/kavezamexatafin.pdf
    • http://itgermany.net/lizinj59xu.pdf
    • https://cdn.sqhk.co/vozeseseber/jfQkTOr/english_song_video_download_site.pdf
    • http://copyrighthelpptteam.com/wesovuretider8q6y.pdf
    • https://cdn.sqhk.co/xibetevoxaj/cchiifU/80035887070.pdf
    • http://uggi-ugg.com/cartoon_hd_android_boxg8adx.pdf
    • https://uploads.strikinglycdn.com/files/8707f3c1-6e3e-4433-9623-c8d0156adfcf/sejujumuwuvudefimux.pdf
    • https://uploads.strikinglycdn.com/files/82a878b3-fb27-4dae-a0ce-88f022ffb295/53139720038.pdf
    • https://s3.amazonaws.com/sitozi/fallout_1_build_guide.pdf
    • https://uploads.strikinglycdn.com/files/dcf80c7f-4882-4a7a-84ec-1725528c3eff/west_bend_bread_machine_reviews.pdf
    • https://uploads.strikinglycdn.com/files/f760e233-95e9-49fe-9820-4cc100e46e3b/resumen_el_arte_de_amar_capitulo_2.pdf
    • https://s3.amazonaws.com/jezobasit/bridal_shower_mad_libs_template_free.pdf
    • https://uploads.strikinglycdn.com/files/ec3f8c85-e5d6-47ae-8ee7-96035e976f24/the_act_of_declaration_of_philippine_independence_reflection.pdf
    • https://uploads.strikinglycdn.com/files/ad13658f-5b09-4006-9eb6-6ff74bb3c377/56376514858.pdf
    • https://uploads.strikinglycdn.com/files/2f8b2d49-f401-416f-9d18-8d02f96591ef/geganeratotumoniwivugog.pdf
    • https://s3.amazonaws.com/jujadodedaruxix/googly_eyes_template.pdf
    • https://uploads.strikinglycdn.com/files/b4cf3dbb-ef39-4852-ab8e-79f5b4ecf0ff/different_types_of_psychological_tests.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.