Malicious PDF — malware analysis report

Static analysis result for SHA-256 abff2e26a6ed905c…

MALICIOUS

PDF

70.9 KB Created: 2021-03-29 18:25:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2c148cb68474403add51e68f525c6a50 SHA-1: 279c17de08414b0ab33cb2a3221c076028da3a06 SHA-256: abff2e26a6ed905cc4206fdc541f9ea7778e2cb5ce0ce2255482336c506b532e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. The embedded URL points to a domain that appears to be a lure, disguised as a PDF download related to public speaking skills. While no scripts were explicitly extracted, the PDF structure and the presence of an external URI suggest it is designed to redirect the user to a malicious resource, likely for payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7004

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/award?keyword=public+speaking+skills+books+pdf
    • https://cdn.sqhk.co/morureju/9gjSXbq/social_intelligence_test_questions.pdf
    • http://natural-shop.info/final_collection_letter_before_legal_action_template7nw4z.pdf
    • https://cdn-cms.f-static.net/uploads/4369923/normal_602758c55170a.pdf
    • https://cdn-cms.f-static.net/uploads/4371790/normal_5fd1c3fb31d6d.pdf
    • https://cdn-cms.f-static.net/uploads/4416326/normal_603cbbe2845ff.pdf
    • http://dsv-trening.ru/nvs_9th_class_admission_form_2021vccfw.pdf
    • https://cdn-cms.f-static.net/uploads/4367624/normal_6039102710afd.pdf
    • http://detonic-ufficiale.website/6424387060qq2gp.pdf
    • https://cdn.sqhk.co/gidulikegel/RoigJpx/code_metal_slug_3_apk_mod.pdf
    • https://cdn-cms.f-static.net/uploads/4491433/normal_60175a1b8035e.pdf
    • https://static.s123-cdn-static.com/uploads/4388050/normal_60048c1ad4759.pdf
    • https://static.s123-cdn-static.com/uploads/4481520/normal_5ff122ea7260c.pdf
    • https://cdn-cms.f-static.net/uploads/4422620/normal_5fd7b4ec47433.pdf
    • https://cdn-cms.f-static.net/uploads/4418013/normal_6057b02f431fd.pdf
    • https://static.s123-cdn-static.com/uploads/4410194/normal_60026e995c067.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/senodiw/91218832980.pdf
    • https://s3.amazonaws.com/xoferuzu/scotch_laminating_sheets_instructions.pdf
    • https://s3.amazonaws.com/duzexefemosaxe/zunenijolipibaneguvup.pdf
    • https://s3.amazonaws.com/jopomodilamego/lagu_butterfly_korean_song.pdf
    • https://s3.amazonaws.com/jemazejodep/27918627632.pdf
    • https://s3.amazonaws.com/tixedujegibex/tagobuzunaxatagabomadoxo.pdf
    • https://s3.amazonaws.com/liwafo/formation_continue_aefe_madagascar.pdf
    • https://s3.amazonaws.com/safenalavojuwu/visual_basic_string_format_example.pdf
    • https://s3.amazonaws.com/zuwimadaneb/cancionero_catolico_para_misa_letras.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ede5.bin
74000a63e85816aac1090f517c558cd00bb4b32afc19babc4b6f37656de7e343		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDE5 5432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.