Malicious PDF — malware analysis report

Static analysis result for SHA-256 a140e5a4dcd777f3…

MALICIOUS

PDF

66.8 KB Created: 2021-02-24 22:34:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: ad64881db26d6260cde6f50ac553b261 SHA-1: 641e57194d6e05cdbdc7c9680eb11fb9d303c7c8 SHA-256: a140e5a4dcd777f3c7c309a1700fb1c57b7004582a4072758471ce10607da9f5
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8429

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/award?keyword=2019+polaris+ranger+1000+repair+manual PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4476946/normal_5fef7100b9f14.pdfIn PDF document text
    • http://fawikenaxalu.scienceontheweb.net/foretoxafalikibip.pdfIn PDF document text
    • http://zanofijufitif.22web.org/zufuroxizegogi.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377095/normal_5fd6269da294e.pdfIn PDF document text
    • http://raxejudesezix.scienceontheweb.net/numowuwo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4425483/normal_6016df2eed172.pdfIn PDF document text
    • https://cdn.sqhk.co/pobijejok/iVdOkWg/30963060553.pdfIn PDF document text
    • http://poxumanavofeboz.scienceontheweb.net/11826842041.pdfIn PDF document text
    • https://cdn.sqhk.co/xovepejegosi/Djaia9L/49732142017.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4426690/normal_602f0128a7c98.pdfIn PDF document text
    • http://youralteragoods.com/plants_vs_zombies_download_full_version_free_apkjc1uw.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://kepepisex.epizy.com/replacement_remote_control_for_toshiba_dvd_player.pdfIn PDF document text
    • https://s3.amazonaws.com/jidagafinuxesu/mipro_act-_30h_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/sivanira/98306345959.pdfIn PDF document text
    • https://s3.amazonaws.com/kifutizijebuj/36889486423.pdfIn PDF document text
    • http://xumugipetoje.epizy.com/types_of_contingency_tables.pdfIn PDF document text
    • https://s3.amazonaws.com/gedesisumi/omlet_arcade_apk_free.pdfIn PDF document text
    • http://wagopof.epizy.com/5629418115.pdfIn PDF document text
    • http://zevesijuduma.atwebpages.com/80212540780.pdfIn PDF document text
    • http://mewexudidis.epizy.com/bukopadabogilupemepopil.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e721.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE721 5528 bytes
SHA-256: c0bb3111265827a541ef98713007a154853baeb91f95d88de93438e4793fac8c