Malicious PDF — malware analysis report

Static analysis result for SHA-256 94e02ce1dc6cc07d…

MALICIOUS

PDF

65.2 KB Created: 2021-04-11 01:58:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f10654ad7c9fe93c7e7d13dfb2b1a94 SHA-1: 092af31e5899ade18c52806e53ed725309d3ed7b SHA-256: 94e02ce1dc6cc07d54fc285e132bf9f96bc3c0890b6b74aff57216a47bdba624
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as a malicious PDF by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URLs suggest the document is part of a phishing or malware distribution scheme, likely attempting to trick users into downloading a secondary payload. The document body, though heavily obfuscated, contains references to 'operating systems design and implementation', which could be a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7773

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.grotekeukens.be/sites/default/files/webform/gmawards2018/gurolaxi.pdf
    • https://www.mothercare.ro/sites/default/files/webform/resumes/77861868930.pdf
    • http://klm3fg.grhosting.cz/sites/default/files/webform/files/78191676466.pdf
    • https://www.jsif.org/sites/default/files/webform/vinuriruxelapaviwona.pdf
    • http://www.friendlycc.com/sites/default/files/webform/kilolegejesap.pdf
    • https://ambrose.edu/sites/default/files/webform/mamak.pdf
    • https://www.a1touchsolution.nl/sites/default/files/56489371510.pdf
    • https://extranet.blanchisserie-toulousaine-de-sante.com/sites/extranet.blanchisserie-toulousaine-de-sante.com/files/documents/justificatifs/29410319198.pdf
    • https://www.osgeurope.com/sites/osg-corporate.dev/files/webform/povufukawonafano.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/FevRqgeaUVY/uplcv?utm_term=operating+systems+design+and+impleme
    • https://printandmail.princeton.edu/system/files/webform/fasulegok.pdf
    • https://drones.princeton.edu/system/files/webform/vijebutipide.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e239.bin
978aa3606af69aac4dc9ea0b533286dbbc14089fc29a81054330806f180518f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE239 5408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.