Malicious PDF — malware analysis report

Static analysis result for SHA-256 954f7ea06f8c54c0…

MALICIOUS

PDF

44.9 KB Created: 2021-03-18 09:26:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5043766e5e4640dac44b379d3d684a4a SHA-1: be4e061215e002dcf78da5c2d54498a8c1e6cd39 SHA-256: 954f7ea06f8c54c0f1037759f0a814a6e6d4daceb2ef081623652cbf301f560a
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file is identified as malicious by ClamAV and an ML classifier, and exhibits characteristics of a phishing lure. The PDF_IMAGE_LURE heuristic indicates it's an image-based document with a clickable action, likely directing users to a malicious URL such as https://crophysi.ru/award?keyword=mla+referencing+style+pdf. While no scripts were explicitly extracted, the presence of embedded URLs and the overall structure suggest it's designed to facilitate a phishing attack or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7595

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 44 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=mla+referencing+style+pdf
    • https://static.s123-cdn-static.com/uploads/4372735/normal_5fc60c9735d89.pdf
    • http://reassurez-moi-fr.info/electrical_calculations_cheat_sheetrasu0.pdf
    • https://static.s123-cdn-static.com/uploads/4380213/normal_60031d5da800d.pdf
    • http://videohost.space/tumudujuxuxxtu8v.pdf
    • https://cdn.sqhk.co/wagomito/atchg9t/16351793237.pdf
    • http://center-about.com/teachers_first_credit_union_mortgage_ratesoj7x6.pdf
    • http://onsideball.info/723945737693l8ec.pdf
    • http://vizit.store/how_to_remove_jvc_kw-r910btlp62x.pdf
    • http://ig-copyrightnotice.com/ejercicios_de_porcentajes_para_secundariagfu24.pdf
    • https://cdn.sqhk.co/davusegeb/Xhb0Iif/32019172630.pdf
    • http://opit.space/stc-1000_manual_espaolwg9vb.pdf
    • https://cdn.sqhk.co/dezorevukor/t5QLWib/musulowevomes.pdf
    • http://haustova.com/gba_emulator_pro_apkrirq8.pdf
    • https://cdn-cms.f-static.net/uploads/4392215/normal_602534a69ca72.pdf
    • http://goldalbum.ru/44714926711p1fqv.pdf
    • http://petrol-v-pol-price.site/babetowaperofe004hf.pdf
    • https://cdn-cms.f-static.net/uploads/4492901/normal_602f606a8955c.pdf
    • https://cdn.sqhk.co/lulaxujik/AngdjeO/fedoxa.pdf
    • https://da5bec28-7969-4117-8ffb-5069fce5e80c.filesusr.com/ugd/31593d_c7f427b5da604b738801d344a41661a1.pdf?index=true
    • https://729282ec-1290-4cbc-9302-cf8a24acd4c7.filesusr.com/ugd/42c189_666ae275812548d4b8aebcb8938bdc8f.pdf?index=true
    • https://f6e2a16f-d004-42cd-8f17-0463e090774c.filesusr.com/ugd/c70c35_94ee3712ff434dff8925e55ce8b9f0df.pdf?index=true
    • https://807eaacf-9fb6-4e16-bcb8-061395d1d132.filesusr.com/ugd/a3ef2e_de5b0b2bb84345109996e81737ad49b8.pdf?index=true
    • https://1794ee33-230d-455b-98b1-84d48067edce.filesusr.com/ugd/551769_2e26abd1f6024aa5a12c543217d8d42d.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.