Malicious PDF — malware analysis report

Static analysis result for SHA-256 84b53b0f6b9a3f5e…

MALICIOUS

PDF

53.1 KB Created: 2021-02-27 19:19:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: db2be9cbb20d9df38f7e629d2d4415d9 SHA-1: ee36adab4bb71f5f1aebe649255f594e4231ff80 SHA-256: 84b53b0f6b9a3f5ed2268e240e710fc04266eebde190c46f362019ce85aab286
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains an embedded URI pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The document body, though heavily obfuscated, suggests a lure related to 'stapler instructions'. The presence of embedded URLs and the ML classifier's flagging indicate a high likelihood of malicious intent, likely to download a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6648

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=swingline+heavy+duty+stapler+instructions PDF link annotation
    • https://cdn.sqhk.co/mogizufofuj/ihh2P2v/debamasovukafonubad.pdfIn PDF document text
    • https://gusumumonabol.weebly.com/uploads/1/3/0/7/130775475/8524515.pdfIn PDF document text
    • https://cdn.sqhk.co/kepebeso/atQhijj/archery_black_bear_hunting_outfitters.pdfIn PDF document text
    • https://cdn.sqhk.co/janurisu/hiMghic/my_photo_lyrical_video_status_maker_bit_master.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4479210/normal_601959e1142d7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403687/normal_5fd5f078d0ff2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448539/normal_60180ec0a0ff2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4410985/normal_6014454f2fab7.pdfIn PDF document text
    • https://cdn.sqhk.co/nuvexajamu/ghqFjfG/59046931878.pdfIn PDF document text
    • https://cdn.sqhk.co/vopuvafamiw/ghpgcii/28254181295.pdfIn PDF document text
    • https://s3.amazonaws.com/pasawexawinogad/70804329382.pdfIn PDF document text
    • https://s3.amazonaws.com/webipejonavuv/aethon_tug.pdfIn PDF document text
    • https://s3.amazonaws.com/vuzotisenixava/sap_crystal_reports_designer_2013.pdfIn PDF document text
    • https://s3.amazonaws.com/dukajevo/xarofiwoz.pdfIn PDF document text
    • https://s3.amazonaws.com/ruzaganog/fekerogapip.pdfIn PDF document text
    • https://s3.amazonaws.com/bofake/11656920116.pdfIn PDF document text
    • https://s3.amazonaws.com/xalexojaxipud/ford_4500_backhoe_specs.pdfIn PDF document text