Malicious PDF — malware analysis report

Static analysis result for SHA-256 93ac038dacd6e932…

MALICIOUS

PDF

66.6 KB Created: 2021-03-26 04:23:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 11acf4db7bebee3af242150832e5d0c4 SHA-1: 33c0cde3282786e613292444193e2d13d07bc3a4 SHA-256: 93ac038dacd6e93243d49bba744efa7134fb662849f2f5c191759aee4f0dfe67
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, suggests a lure related to booking accommodation, aligning with phishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7003

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/aws?utm_term=best+website+for+booking+accommodation
    • https://cdn.sqhk.co/numiwuzuwix/6XRghiC/25896520848.pdf
    • https://cdn.sqhk.co/sudidoxa/eijaibR/sniper_3d_porter_heights_mission_30.pdf
    • http://byseles.xyz/industrial_fruit_slicing_machine77art.pdf
    • http://50offshop.info/washington_state_mapiuoq5.pdf
    • https://cdn.sqhk.co/kisibijobu/jhhjXjc/javupaparotubov.pdf
    • https://cdn-cms.f-static.net/uploads/4371808/normal_6050d977a659e.pdf
    • http://buyervannakupitvsem.xyz/instructions_template_exampletzjcz.pdf
    • https://cdn.sqhk.co/zojoguxuban/ifanOhc/palimubi.pdf
    • http://shtampshop.ru/847169106154nblw.pdf
    • https://cdn-cms.f-static.net/uploads/4377113/normal_603fa8012865c.pdf
    • https://cdn.sqhk.co/berazanoga/egdZsie/texuziwejoladatabalabefa.pdf
    • http://rollernefrit.xyz/rikumakemujewuraniroroji31kj9.pdf
    • http://retapobu.iblogger.org/one_inch_circle_template_photoshop.pdf
    • http://fishing-rods2.club/334650368828qx2i.pdf
    • http://in-step.shop/ley_de_inquilinato_hondurasj8n91.pdf
    • http://demask.fun/reboteh7o58.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://pojetol.epizy.com/android_apps_sites.pdf
    • http://robavumu.rf.gd/who_is_franks_father_in_the_son_of_neptune.pdf
    • https://9e705916-5bde-4eb8-be9b-8b3e910fbaf8.filesusr.com/ugd/c7a620_533ebfdede7041289dd4a8d77ced6345.pdf?index=true
    • https://05e27880-d5e1-4d3d-8428-ba943e9300bc.filesusr.com/ugd/b56239_1717567d8e55456eba49070208a411aa.pdf?index=true
    • https://09ec9d85-9312-4337-94d0-b84080e05f2e.filesusr.com/ugd/ac0094_ec8f75124dc7410f803614856b077859.pdf?index=true
    • http://putazosaw.epizy.com/kube_cron_job_template.pdf
    • http://janalusexisowa.epizy.com/kathi_tamil_movie_songs_free_320kbps.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f546.bin
6aa505f82daaf551553754f700d9337221df75df082d7d798aced3c184253801		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF546 5652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.