Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f90d1cb03749961…

MALICIOUS

PDF

75.0 KB Created: 2021-04-04 15:30:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c33479724ef260a289636b581219dab2 SHA-1: e733f856df54416ff9f27d7705f059e6636bfdb8 SHA-256: 8f90d1cb037499613351db024b9cb5e29a4f80c2b63310b57b866b1805911cb5
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely used to deliver a malicious payload or conduct phishing. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of the malicious URL strongly suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8907

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=contoh+business+model+canvas+makanan+pdf
    • https://cdn-cms.f-static.net/uploads/4447640/normal_5fe971b926130.pdf
    • https://cdn.sqhk.co/rinugezig/Xjjiiic/the_elevator_shaft_escape_room_review.pdf
    • https://cdn-cms.f-static.net/uploads/4417669/normal_603697dd17eba.pdf
    • http://impergamon.com/algebra_lineal_ejercicios_resueltos_numeros_complejos282eh.pdf
    • https://cdn.sqhk.co/fudikeraz/ygfSugf/avatar_korra_season_5.pdf
    • https://static.s123-cdn-static.com/uploads/4370304/normal_5fff54568e636.pdf
    • https://static.s123-cdn-static.com/uploads/4382773/normal_5fcf7d09a103a.pdf
    • https://static.s123-cdn-static.com/uploads/4482617/normal_5ffefbddb608a.pdf
    • http://legalvictory.group/livongo_teladoc_stock_merger_datepgduw.pdf
    • http://websecurer.tech/bosurovepvzvu8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/viwoxuz/guide_installation_livebox_3_orange.pdf
    • https://15319a82-8c66-4906-b3c2-464277991f2b.filesusr.com/ugd/070acf_b318210a2cf74add8264076f4b48c8b6.pdf?index=true
    • https://0f285ee0-1b14-49a2-8a3e-060a2db94812.filesusr.com/ugd/4bf67f_c40b7cbd90ec4941ba7f8a8276d4a67e.pdf?index=true
    • http://fukefuxatolu.epizy.com/8649226938.pdf
    • https://s3.amazonaws.com/bezegoluzose/los_amantes_del_circulo_polar_artico_pelicula_completa.pdf
    • https://s3.amazonaws.com/tosevud/resignation_acceptance_letter_format_in_word.pdf
    • http://xivobotaxonid.epizy.com/impressionism_vs_expressionism_art.pdf
    • https://d1159ab4-cbf5-42eb-897b-83a5e94cd7da.filesusr.com/ugd/536122_f5ba91f31d6e429daae175cc60332016.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010297.bin
b6266f7c9ba86fbd8814e3ea31442549a524f1279f25bdc996f69dde29f71e7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10297 5468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.