Malicious PDF — malware analysis report

Static analysis result for SHA-256 8556d635173014a2…

MALICIOUS

PDF

67.0 KB Created: 2021-03-13 20:51:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: 131b3f4286b5aca6fc0cda00267dad15 SHA-1: f0ba52041285326f032638ed24e96426fb7706cf SHA-256: 8556d635173014a2158e0c130ca48b54910ac5b589db3367e78ed26d08dd85db
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7994

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=verbos+y+preposiciones+en+ingles+lista+pdf PDF link annotation
    • https://cdn.sqhk.co/gojaxaxiwa/heIgdgi/mazezupoj.pdfIn PDF document text
    • https://cdn.sqhk.co/zunezafi/uLBijjh/the_catbird_seat_short_story_characters.pdfIn PDF document text
    • https://cdn.sqhk.co/gujadozede/4ieeTzh/95610072497.pdfIn PDF document text
    • https://cdn.sqhk.co/fifapupifig/ZNjgate/gapesilaxavipujewimasilid.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://wukosow.epizy.com/kowogakaperisezasujabo.pdfIn PDF document text
    • http://siderawe.epizy.com/free_company_brochure_template_word.pdfIn PDF document text
    • http://xawavejemefo.epizy.com/60091897862.pdfIn PDF document text
    • https://s3.amazonaws.com/tokit/bugowozademeligunidogorej.pdfIn PDF document text
    • https://s3.amazonaws.com/zodawanuror/dr.neal_barnards_program_for_reversing_diabetes.pdfIn PDF document text
    • https://s3.amazonaws.com/xidulumexi/xirita.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1107d7b1-1458-4f03-87ee-007b9cf11969/what_is_a_physiological_assessment.pdfIn PDF document text
    • http://fenigubigona.epizy.com/friendship_quotes_in_english_with_images.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/082a83f4-8c31-45c1-9de7-3cc40d8d6bd1/sherlock_holmes_stories_in_marathi_read_online.pdfIn PDF document text
    • https://s3.amazonaws.com/simujix/32956728135.pdfIn PDF document text
    • http://todizegi.epizy.com/magnito_adebayo_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9f9d9cc4-e2e0-42f5-8043-f8e460ee15fb/89016031201.pdfIn PDF document text
    • https://s3.amazonaws.com/pomaxa/89575738180.pdfIn PDF document text
    • http://perabojon.rf.gd/petsafe_wireless_pet_containment_system_tractor_supply.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/629160a9-c3a6-4702-b01c-a21f08b8695a/45460103645.pdfIn PDF document text
    • https://s3.amazonaws.com/gezetega/jimodegejulujus.pdfIn PDF document text
    • https://s3.amazonaws.com/gurupixabogivaz/6th_grade_math_ccss_i_can_statements.pdfIn PDF document text
    • https://s3.amazonaws.com/mexijegedakol/75372860767.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef36.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF36 5528 bytes
SHA-256: 94e9f3e5b8ce70977532d445b442f29c9b1862cf988d205c1fb052b2438982f8