Malicious PDF — malware analysis report

Static analysis result for SHA-256 b0f6855623b6ed54…

MALICIOUS

PDF

77.7 KB Created: 2021-03-17 06:18:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0c1b8af61752c6300c3f6c6ac0bc4e03 SHA-1: 6c49307884fe047505993c16ea344c95f3ae8ee2 SHA-256: b0f6855623b6ed54cf5e1cb000f49407fb916311f28ae9291727ab2d4e952d82
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous embedded URLs pointing to potentially malicious PDF files, suggesting a malware distribution or phishing campaign. The document body, though partially corrupted, contains text related to book downloads, which is likely a lure to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9769

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=byomkesh+bakshi+somogro+pdf+download
    • http://zabavnyi-slon.ru/tutorials_point_c_programmingcicsf.pdf
    • http://znakomstva18x.site/xakaxesinobikelogebik4zace.pdf
    • http://damodudajipofem.22web.org/71216901303.pdf
    • https://cdn.sqhk.co/jututumogu/1ZhhqNS/33511712580.pdf
    • http://tourist.fish/69583545988wm8fc.pdf
    • http://voicebftyi.com/91344190124vzg2q.pdf
    • http://bio-ita.fun/how_to_make_doughnut_dough_in_a_bread_makeru3sde.pdf
    • https://soxapibojewaw.weebly.com/uploads/1/3/5/3/135345372/6732407.pdf
    • http://rodina38.ru/airlines_manager_tycoon_2020_tips_and_tricks6bu9s.pdf
    • https://sasofisapen.weebly.com/uploads/1/3/4/5/134590640/ca6fa1e1d106.pdf
    • https://senemoribut.weebly.com/uploads/1/3/4/7/134703027/zixowiroxejiz.pdf
    • http://cleanup-sale.site/what_books_are_in_catholic_bible_but_not_protestantdznmp.pdf
    • https://cdn.sqhk.co/firavibaw/ea0QYji/tabepaf.pdf
    • http://ultra0.space/68224336981ucfx.pdf
    • http://hotita.space/defobavivexo8af0e.pdf
    • http://gnoogle.site/what_colors_go_with_olive_green_couchdnk10.pdf
    • http://xewopixomimam.22web.org/atlas_anatomy_3d.pdf
    • http://flowerport.shop/cannon_safes_at_academyudph1.pdf
    • http://repair-monokoles.ru/59459341655mg1vm.pdf
    • http://newowoliso.iblogger.org/70492623226.pdf
    • http://ruszaimclub.ru/tibogupakawipozonobotog9cyu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6eb.bin
847477eb953cb89b7a6d6b72b350457e8bc15f0ca8da29a24f10318786610c6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6EB 5904 bytes
font_01_sfnt_off00010af1.bin
000a80b24fbaee6f460ad5dbf5588445c37e5d3ce5b509e8e85517e351190797		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AF1 8768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.