Malicious PDF — malware analysis report

Static analysis result for SHA-256 878a90b3a2e92e5d…

MALICIOUS

PDF

72.2 KB Created: 2021-03-30 16:01:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 53540e5211e0aa5fe92800fb56e7c1f5 SHA-1: 3388600e05bf0a81c3b38851ab4352da390dee47 SHA-256: 878a90b3a2e92e5ddb6a42180ad5f88940b5ca644d4af83fb70c61c561d8baca
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing attempt. The embedded URL leads to a domain that appears to be hosting a malicious payload, likely intended to trick the user into downloading further malware. The document body, though heavily obfuscated, contains text related to advertising appeals, aligning with a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9607

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/award?keyword=appeals+in+advertising+pdf
    • https://static.s123-cdn-static.com/uploads/4408595/normal_5ffcdd09ad17a.pdf
    • https://ribavazo.weebly.com/uploads/1/3/5/3/135322422/74a3ae260bac.pdf
    • https://cdn-cms.f-static.net/uploads/4386076/normal_60317572ef646.pdf
    • http://lejidakoxinetog.mywebcommunity.org/69741816918.pdf
    • http://boevoenlp.com/fuzirafopefisabuveripipuhewfe.pdf
    • http://deutschebank-meine.com/jedamulusepalimemeboagp4t.pdf
    • http://luxuwum.mypressonline.com/jidoxorikijukilivomagolu.pdf
    • https://static.s123-cdn-static.com/uploads/4479462/normal_5fe1c8034906a.pdf
    • https://gapibuxox.weebly.com/uploads/1/3/2/6/132695643/tulajibugeponife.pdf
    • http://instapresent.site/vcredist_x64._exe_2010_freerh88o.pdf
    • http://1offpark.xyz/dewalt_20v_max_xr_brushless_drill_driver_compact_-_bare_tooltadmi.pdf
    • http://livethailand.fun/zither_sheet_musickmkhf.pdf
    • http://azules.ru/how_to_tell_how_old_my_singer_sewing_machine_is9t6kx.pdf
    • http://yarrebitteh.online/1._mouawad_1001_nights_diamond_purseb0xkj.pdf
    • http://filanion.online/pioneer_avic-x850bt_reset_button0iqa0.pdf
    • http://septiki-rf.website/gowukevugejixebenepeno65xtv.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://eff7b67d-fef5-45b7-bcd6-ffb1b71d3a14.filesusr.com/ugd/b4c9df_2ab538f48d704248b6bdf735056e7e98.pdf?index=true
    • https://3f740848-0e57-4b51-8596-564812021bec.filesusr.com/ugd/cbe17c_c4811a182b8b45e8b2a0127ab092ab5e.pdf?index=true
    • http://tifilow.onlinewebshop.net/the_magicians_season_5_episode_6_promo.pdf
    • http://faleferesevo.onlinewebshop.net/80148497985.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e716.bin
6b49440a64c426489125c72bce1aa5ddc2e8fffd990941fbf3eddfa77a22b904		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE716 5256 bytes
font_01_sfnt_off0000f912.bin
8db6f9deffd492943d4568d5ef22a35eb33f4e4516536a58b130db94ca002514		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF912 11548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.