Malicious PDF — malware analysis report

Static analysis result for SHA-256 a536175ab278f43c…

MALICIOUS

PDF

72.2 KB Created: 2021-03-21 12:24:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: db27379327a301025537416e15348484 SHA-1: 40649da335753ae10e788f92690dea050689e7a8 SHA-256: a536175ab278f43cdf16a7987280c805d971094cfd18b8aa55f642c24737eaf0
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to 'https://zajinet.ru/award?keyword=aldous+huxley+pdf+books', which is likely a phishing lure. The document body, though heavily obfuscated, suggests a search result context for 'aldous huxley pdf books'. No scripts were extracted, but the presence of an external URI in a malicious PDF strongly suggests a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6871

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/award?keyword=aldous+huxley+pdf+books
    • https://static.s123-cdn-static.com/uploads/4465685/normal_5fee98d4d9b65.pdf
    • http://podarokinsta24.online/software_tester_interview_questions_uk2uqva.pdf
    • http://sportplays.ru/youtube_vanced_android_5.15w5cu.pdf
    • http://salonapp.xyz/76540016893xp6wo.pdf
    • http://barberking.best/dozufedwbd9f.pdf
    • http://topcabinets.xyz/jiludafuvoc0mpb.pdf
    • https://static.s123-cdn-static.com/uploads/4485942/normal_5fcebecb3fe00.pdf
    • http://tk-time.site/gemini_security_system_user_manuall526p.pdf
    • http://skameyki.club/sia_chandelier_sheet_music_pianoqf88s.pdf
    • https://cdn-cms.f-static.net/uploads/4368752/normal_6031dcd078c90.pdf
    • http://copyrightsupporthelpcenter.com/79551941320hqh87.pdf
    • https://cdn-cms.f-static.net/uploads/4416935/normal_6047de5c7c96d.pdf
    • https://static.s123-cdn-static.com/uploads/4415309/normal_5fef46fd14d8d.pdf
    • http://brumbum2.xyz/english_vocabulary_words_for_upsc1rfy0.pdf
    • http://vzruvayarttraff.xyz/runotomejujobuk5zk9d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e4f344c3-4ec3-47b1-88cb-9ea8fca37137/astra_militarum_8th_edition_hq_choices.pdf
    • https://s3.amazonaws.com/povodijirig/rust_explosives_damage_guide.pdf
    • https://uploads.strikinglycdn.com/files/179c0416-b3c4-4b42-a5bc-a0ed12975a68/krav_maga_sparring_tips.pdf
    • https://uploads.strikinglycdn.com/files/f35a2740-18df-47a4-97d4-0f5ea813bc5c/what_is_the_meaning_of_history_of_economic_thought.pdf
    • https://s3.amazonaws.com/perurulexi/budget_2019-_20_highlights.pdf
    • https://uploads.strikinglycdn.com/files/fdb26ce2-ec97-4c7f-9c96-dd770ebf0768/pl_sql_tutorial_guru99.pdf
    • https://uploads.strikinglycdn.com/files/6adbff3b-307e-4e61-b656-a8f63b4459f1/zigexorabop.pdf
    • https://uploads.strikinglycdn.com/files/2dec1e18-ea04-436c-a8d8-f770db95e054/53988014937.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010148.bin
917eb17c001845aef82951d49d1029ffcc500d661eefe62c561be053a16f3989		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10148 4836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.