Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2ca0cf41f31dceb…

MALICIOUS

PDF

76.3 KB Created: 2021-03-28 02:09:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9e2276e3092b82653c7e9ad91d6c1605 SHA-1: b7822faedec288edc1f5da8a76a9d45a4b16a3d7 SHA-256: a2ca0cf41f31dcebde0f28e579f23ce5cdafd6def40833880dafc89fb89fa6d1
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URL pointing to a domain that appears to be part of a phishing campaign, specifically masquerading as a 'mudra bank loan form pdf'. The presence of this URL and the document's classification strongly suggest a phishing attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8947

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=mudra+bank+loan+form+pdf
    • http://copyrightshelpscenters.com/x1_remote_codes_for_cable_box8y7ka.pdf
    • http://sabukapu.22web.org/practical_english_usage_download.pdf
    • http://hydrofthol.space/crossfire_series_sylvia_day_orderi0vyn.pdf
    • https://cdn.sqhk.co/tononapiwaso/aF61Igf/risiti.pdf
    • https://cdn-cms.f-static.net/uploads/4391335/normal_6026dcb2e665f.pdf
    • http://presalle.xyz/87081591584mzmmo.pdf
    • https://cdn.sqhk.co/sevigexew/htYgjij/empire_conquest_mod.pdf
    • https://cdn.sqhk.co/surofowudula/dZJv5T4/shelter_in_place_nora_roberts_wikipedia.pdf
    • https://cdn.sqhk.co/juxerawabuf/Wjh9Hhh/ben_pol_new_song_mama.pdf
    • https://static.s123-cdn-static.com/uploads/4369903/normal_5fc672b8136fd.pdf
    • https://static.s123-cdn-static.com/uploads/4420775/normal_5fceab86cb9c7.pdf
    • https://cdn-cms.f-static.net/uploads/4416938/normal_6035cf5e8b699.pdf
    • http://pusolaxunu.66ghz.com/fmovies._to_movies.pdf
    • https://cdn.sqhk.co/gobefuvumi/o5jjhhL/fusatabopusama.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://giratas.epizy.com/57263293497.pdf
    • http://lovenevo.rf.gd/multiplication_tables_chart_free_printable.pdf
    • http://bilunet.rf.gd/vuziratud.pdf
    • http://botujovibal.rf.gd/senirofubemubowo.pdf
    • http://lipelizirivalul.epizy.com/bezonudirovimimato.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001129c.bin
ffee12f7da3e4caeb6254cecc6425e190317f5d56a9960a7e13b7fa9ea5ded8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1129C 5216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.