Malicious PDF — malware analysis report

Static analysis result for SHA-256 8665de9cfe370aa0…

MALICIOUS

PDF

85.7 KB Created: 2021-04-06 12:52:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 81b5b41f46e2613d3cd6a85916b27ab4 SHA-1: 38bb9c88a803d05d282b5549a4994e62763935c2 SHA-256: 8665de9cfe370aa0b0146b2ba94cd16114b9b2153b806fc5b2c7d2ccec0071cc
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing an embedded URL that points to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged the PDF as malicious. While no scripts were explicitly extracted, the presence of an external URI and the overall detection suggest the PDF is designed to redirect users to a malicious site, likely for phishing or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6805

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/award?keyword=belajar+tajwid+lengkap+pdf
    • http://gromstroy.com/412925468762kow3.pdf
    • https://static.s123-cdn-static.com/uploads/4413712/normal_6003ec09ac1ab.pdf
    • https://tunajixawovu.weebly.com/uploads/1/3/0/8/130873758/levumi_kewoludezap_mesebopaviv.pdf
    • http://bazis-rostov.com/56390650214tnd1p.pdf
    • https://cdn-cms.f-static.net/uploads/4413007/normal_6049c1421405e.pdf
    • https://cdn-cms.f-static.net/uploads/4368763/normal_5fd242481c001.pdf
    • http://shoppingyxplus.xyz/how_to_fix_logitech_z506_speakersnpzt0.pdf
    • http://chambrehub.xyz/zosimededatajo1q5q5.pdf
    • https://cdn-cms.f-static.net/uploads/4382412/normal_6052b1bd12951.pdf
    • https://benejawu.weebly.com/uploads/1/3/4/1/134131543/wavuze.pdf
    • https://cdn-cms.f-static.net/uploads/4448984/normal_6023f796d4de0.pdf
    • https://defagetomorig.weebly.com/uploads/1/3/4/5/134576552/tasuginarevuki_gorik_falozadizo_vizulivi.pdf
    • http://study-english-02.space/fusexaravapifovisomodulimabfde.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2e68cf6d-4e33-4660-bc8b-dfcb9e599d76/55327952632.pdf
    • https://s3.amazonaws.com/ligole/rayovac_class_2_battery_charger_model_ps334.pdf
    • https://s3.amazonaws.com/tobobowu/la_crosse_technology_alarm_clock_manual.pdf
    • https://s3.amazonaws.com/xufaxoferugod/84578172333.pdf
    • https://uploads.strikinglycdn.com/files/84f661ce-fa94-470a-8bf1-2594db7fc30d/36510014505.pdf
    • https://uploads.strikinglycdn.com/files/98782996-e825-48b8-a11f-cb2ad740dd15/52967599584.pdf
    • https://s3.amazonaws.com/mulerux/tebalixasi.pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00012745.bin
2031ed3a1fe0f412f876b6aca0679ba60d9f7f32817e584dc716c3c321d6b7d6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12745 27608 bytes
font_00_sfnt_off0000efd1.bin
48e8736699b35d83c59f5380838c1b96b67c7edb77a119054d33ecbc5ecea02f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFD1 5312 bytes
font_01_sfnt_off00010212.bin
fef538b4f9ebee83ae66093611d75eaa084271d69204acd24bfa66eb433163e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10212 11184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.