Malicious PDF — malware analysis report

Static analysis result for SHA-256 883b662edc54f2ae…

MALICIOUS

PDF

59.7 KB Created: 2021-06-09 21:19:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4dd4f0934904d5c6abb602b7e0889cb3 SHA-1: dbbaf63fc5913b3e6cea63ae57fd0aa5f00efa9a SHA-256: 883b662edc54f2aecf8c416a78feb57c089399e051ee22d1b19b09de156622e2
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing an embedded URI that redirects to a URL disguised as a textbook download. ClamAV and ML classifiers identified this PDF as malicious, specifically a phishing trojan. The presence of an external URI suggests an attempt to trick the user into downloading a secondary malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9873

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=mcdougal+algebra+2+textbook+pdf
    • https://www.3dreamchurch.com/wp-content/plugins/super-forms/uploads/php/files/f6cec9520732db730cacb47cce01d044/renitupudajewerolexa.pdf
    • https://xn--80aaaglcftt5alesfkk7f.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/4d28837d415663505d82245e6d4be935/67710332030.pdf
    • https://www.physioaktivkramer.de/wp-content/plugins/formcraft/file-upload/server/content/files/16076d03b7f07d---fevigexiwidelimip.pdf
    • http://ilkyoukais.com/Images/Media/files/42777840732.pdf
    • http://frederickfollows.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1609802012ce1e---25171841758.pdf
    • http://armanetti.com/images/vatelus.pdf
    • https://moveo-sport.pl/userfiles/file/fexakavizuperagir.pdf
    • http://www.stockholmswingallstars.com/wp-content/plugins/formcraft/file-upload/server/content/files/160736080370b7---kokave.pdf
    • https://noddy.nu/images/file/josikuresidapewarezo.pdf
    • http://yuseigachi.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607aa13894a5f---97979961655.pdf
    • https://heykidsletscook.info/wp-content/plugins/super-forms/uploads/php/files/8237d02082b4f6c6da7d77d2ce4e80ec/gutizam.pdf
    • https://mindweave.co.uk/wp-content/plugins/super-forms/uploads/php/files/d5dmhg26s2l1485sv5bor0j50h/zezokodufozelos.pdf
    • https://adlinefor.com/home/webagen/public_html/korn/data/file/danamufulitujilid.pdf
    • http://www.thelawchamber.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c0a55a1d96---fijonan.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c578.bin
c4ad74889c30f30dc66dbd86212c2b05a1dd687442205240423ffd750acc3d17		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC578 5556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.