Malicious PDF — malware analysis report

Static analysis result for SHA-256 9dc210a78de9e4de…

MALICIOUS

PDF

148.9 KB Created: 2020-04-10 03:38:29 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: cef6158db4c64c73a6c58ae709047eb5 SHA-1: a9884e84d0bdea9490789e7633da3c58c0359c35 SHA-256: 9dc210a78de9e4deedf238869b4ea05bfc528d25a82a81c143c12ed03c50b8cf
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The ClamAV heuristic identified this PDF as a dropper, and an external URI points to a suspicious HTML file. The document body contains urgency language, suggesting a social engineering tactic to prompt user interaction. The presence of multiple embedded URLs indicates a potential distribution mechanism for further malicious content.

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-9019419-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9019419-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://elliebustamante.com/uploads/1/3/1/4/131453780/131453780.html#jeffrey+dahmer+book
    • http://tashkendallsound.com/uploads/1/3/0/7/130739791/jozalirujokewo.pdf
    • http://gaualauf.com/uploads/1/3/1/3/131381904/vuzipiwekopejoze.pdf
    • http://sp00kqd.com/uploads/1/3/0/6/130639165/kenele.pdf
    • http://classiccpr.com/uploads/1/3/0/2/130291507/pokodam.pdf
    • http://dautantplusbyannetellier.com/uploads/1/3/0/5/130588463/7374033.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00020d70.bin
094936a3d19b646e986fd2f0e5185c11d334876b8d06a47808063c9dc1b8044c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20D70 8960 bytes
font_01_sfnt_off00022fa0.bin
65b19af29a8b13b6c479ba43c918a12594446bc2c93140f5bd0ac14383de5914		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22FA0 16356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.