Malicious PDF — malware analysis report

Static analysis result for SHA-256 930db7eabce3b11d…

MALICIOUS

PDF

877.6 KB Created: 2021-06-06 07:30:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3694389a347d48bd6a98587b041e8985 SHA-1: 1c1edb65905ef12953315b7102f419e4a673cc7c SHA-256: 930db7eabce3b11d818ef7cfbfb2f6e58cbc9508004e814f23023ed69eddd0e6
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The ClamAV heuristic identified this PDF as a phishing trojan. The embedded URI points to a URL that appears to be a lure for children's stories, likely a social engineering tactic to redirect users to a malicious site. While no scripts were explicitly extracted, the PDF structure and embedded URIs suggest an attempt to deliver a malicious payload or redirect the user to a phishing site.

Machine Learning

  • Nyx PDF Classifier clean score 0.0196

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/pbw?utm_term=cuentos+infantiles+cortos+para+ni%25C3%25B1os+de+suspenso
    • https://fofapabijutoza.weebly.com/uploads/1/3/4/7/134713913/693647.pdf
    • https://siteketu.weebly.com/uploads/1/3/4/3/134362374/78d196.pdf
    • https://webapifupa.weebly.com/uploads/1/3/4/7/134706955/945a99fc6435b.pdf
    • https://xomowozijirogap.weebly.com/uploads/1/3/4/6/134667332/boxeve.pdf
    • https://xezajorawelo.weebly.com/uploads/1/3/1/4/131408008/ff1644af3c.pdf
    • https://wapaberupuz.weebly.com/uploads/1/3/5/3/135397773/4385ab47.pdf
    • https://dexanobibe.weebly.com/uploads/1/3/5/2/135299911/kosit_mosusekav.pdf
    • https://kigotofu.weebly.com/uploads/1/3/5/3/135323523/zosoji.pdf
    • https://kunobutos.weebly.com/uploads/1/3/4/2/134234797/pazepafenal-neviragitedoju-meroliza.pdf
    • https://lugivizukur.weebly.com/uploads/1/3/1/8/131871894/6564605.pdf
    • https://zotikukubufo.weebly.com/uploads/1/3/4/7/134773644/zutinadavuj-jinita.pdf
    • https://kefenageteda.weebly.com/uploads/1/3/0/7/130775977/6b5d628a8c4d.pdf
    • https://danawejenig.weebly.com/uploads/1/3/4/4/134499985/807a1.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.opentle.org
    • http://fedorahosted.org/lohit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/7bce3a46-8704-4d01-b371-681f05396b3f/how_to_use_the_ecers_rating_scale.pdf
    • https://uploads.strikinglycdn.com/files/0489341c-f798-4e22-aba7-ce6138ee8043/partial_differential_equations_evans_solutions_manual.pdf
    • http://wixugigir.pbworks.com/f/79542975514.pdf
    • https://uploads.strikinglycdn.com/files/f1f68fd3-8347-4839-bf0d-cf5ace5b0767/amazon_echo_dot_3rd_generation_user_guide.pdf
    • https://uploads.strikinglycdn.com/files/d70032c7-7375-4ba1-982c-ae5b66771946/nosql_distilled_download.pdf
    • https://uploads.strikinglycdn.com/files/6080c11b-3f57-4ce5-955f-555d2c797cc4/la_biblia_en_hebreo_original_y_espaol.pdf
    • http://gitefov.pbworks.com/w/file/fetch/144661827/36448459712.pdf
    • http://fujiserefi.pbworks.com/w/file/fetch/144678912/gowejafowozowor.pdf
    • https://uploads.strikinglycdn.com/files/bd53071a-3ad1-4c19-b01c-fa3adfdfbd66/thermal_physics_kittel_2nd_edition.pdf
    • https://uploads.strikinglycdn.com/files/b4f8dfed-3ff4-4c8c-8a00-cabf62605015/metal_gear_solid_3_pc_release.pdf
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000aa37b.bin
eb8737b3cb8d00e1a79858ad0f4897f67a6c87b2fe5b35c40232271d3ed0592c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA37B 2068 bytes
font_01_sfnt_off000aaceb.bin
8638924453fbca298d6c79da05a8b251aebe31ed50dc0133ec6d40704ee2f27a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAACEB 6396 bytes
font_02_sfnt_off000abdc5.bin
10de6dfd9e7c95e40bc7086ec7035b365f02a7157a5d1e66f0af6dd8a8045224		 pdf-font-stream PDF embedded font (sfnt) at offset 0xABDC5 3060 bytes
font_03_sfnt_off000ac98d.bin
933b5c0a445de8a72a37a5eb31085020341e5df8d46f179c7b88eef1ee897f8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAC98D 130064 bytes
font_04_sfnt_off000c0b56.bin
4bfc2c8ae3427d122468cce8f7f9466da37064281d3725918431976529e33695		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC0B56 5268 bytes
font_05_sfnt_off000c1d12.bin
7893416b45dedf1bd0981610cabbfe0e5cd87351536b294894309d7c8f0e8bdf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC1D12 2124 bytes
font_06_sfnt_off000c2684.bin
fd3865a4deaa43b80993787d118d263d17851c036fe9bbaa064dc57f51354457		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC2684 2188 bytes
font_07_sfnt_off000c2fee.bin
a1cd7ea2f054a052d93fd2f7fd00c97ae6981620509c2fd6193b2a00f6798979		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC2FEE 13812 bytes
font_08_sfnt_off000c5647.bin
76ea02dd90e554132e554a489c9061be3bdd55d3018fb43e84110c5582e05a4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5647 115540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.