Malicious PDF — malware analysis report

Static analysis result for SHA-256 a7e79d9d024b91f1…

MALICIOUS

PDF

64.0 KB Created: 2021-04-06 03:52:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cc13cb32e7fe5139330b081ea2e1bb9c SHA-1: 838390742dfd9b14aacb493a697c654ec03795c9 SHA-256: a7e79d9d024b91f17888e4b9393aa777e096569334c597c0e2ac7580c3e2b176
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to translation services, further supporting a phishing attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9740

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=traduction+fichier+pdf+allemand+francais+en+ligne+gratuit
    • http://topukovatawosu.sportsontheweb.net/kalender_2020_indonesia_download.pdf
    • http://weraka.online/portrait_photography_tips_iphonej2rgn.pdf
    • http://gapijet.scienceontheweb.net/physiology_by_ak_jain_free.pdf
    • https://static.s123-cdn-static.com/uploads/4411926/normal_5fdf17db18d47.pdf
    • http://uaportal.site/18048109772auubp.pdf
    • https://cdn-cms.f-static.net/uploads/4379370/normal_60543c43600f7.pdf
    • https://static.s123-cdn-static.com/uploads/4413563/normal_5ff5a1b5f0c44.pdf
    • https://static.s123-cdn-static.com/uploads/4373004/normal_5ffc4b2a22bcb.pdf
    • https://cdn-cms.f-static.net/uploads/4421039/normal_5fda441c92b14.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4d3ff559-f212-4b32-ac27-5aa74def133a/99772508154.pdf
    • https://uploads.strikinglycdn.com/files/6561a8c5-8620-4dc4-ac5b-f65e7a796614/how_to_get_revelation_ffxiv.pdf
    • https://uploads.strikinglycdn.com/files/3da2a795-10d4-49ec-87d4-b5eeeecd26fe/dd-wrt_router_iptables.pdf
    • https://uploads.strikinglycdn.com/files/4780487c-2433-41a5-ada7-6ce22cf98e09/58263654391.pdf
    • https://uploads.strikinglycdn.com/files/9ba15e0f-d1d0-47fd-9ab2-1d54e8c41526/19245082464.pdf
    • https://uploads.strikinglycdn.com/files/97b6897e-13d7-4370-8601-1d8b8eb71f6a/how_to_fix_error_code_13_on_carrier_furnace.pdf
    • https://uploads.strikinglycdn.com/files/81554eed-1cb9-416b-91b9-a4723568e37c/luke_7_niv_bible_gateway.pdf
    • http://keregimuw.onlinewebshop.net/analogue_and_digital_signals.pdf
    • http://lipisalozolujew.epizy.com/complete_advanced_cambridge.pdf
    • https://uploads.strikinglycdn.com/files/f4133985-b053-418b-be0a-8471a6908962/what_was_the_social_contract_theory_by_john_locke.pdf
    • http://vexifebama.rf.gd/rokimizerudaf.pdf
    • http://vigukutimibek.epizy.com/les_bascules_cours_et_exercices_corrigs.pdf
    • https://uploads.strikinglycdn.com/files/bc943ce0-d271-4e5b-926e-daa6faaa9a7e/husqvarna_model_yth20k46_deck_belt.pdf
    • https://uploads.strikinglycdn.com/files/e5f5ff39-6316-4dd4-a05e-d58fbf5bb533/pathfinder_campaign_books.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f233.bin
2ec31c4a2a426967741f900a1bd4e0f6b93437c82a67d3623a599e26b186285c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF233 5516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.