Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7863217df3828ca…

MALICIOUS

PDF

121.1 KB Created: 2021-03-17 11:50:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8dbbc69cb9ce66a4eec78417f19e24a1 SHA-1: 17b36807d9dd5de6a7b4e6bfcebf3c2f1444da9f SHA-256: b7863217df3828ca97a7d3d00f942cc80f33cc979afb95369543bba0b215be95
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains an embedded URI pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged this PDF as malicious. The presence of an external URI suggests an attempt to redirect the user to a malicious resource, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9151

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=argonautiche+libro+2+pdf
    • http://vonexalux.sportsontheweb.net/63392399293.pdf
    • http://vukuradi.mygamesonline.org/5029931162.pdf
    • http://lnstagaram-verifiedbadges-from.com/how_to_lie_with_statistics_downloadduxpn.pdf
    • http://tajuliwelofiti.medianewsonline.com/banking_chronicle_november_2020.pdf
    • http://keepxufi.space/new_bus_games_2017troop.pdf
    • http://bankrot-biznes.ru/1495628198931p5b.pdf
    • http://finansi-7.online/weber_spirit_e_210_original_sale9gacq.pdf
    • http://alisabor.design/the_adventures_of_robinson_crusoe_bookb8oph.pdf
    • http://energytik.net/mubamavurinedvqukw.pdf
    • http://xenejesujotolud.mypressonline.com/which_cleans_teeth_better_oral_b_or_sonicare.pdf
    • http://pazujiz.mygamesonline.org/mapa_geologico_peru.pdf
    • http://lorewipa.scienceontheweb.net/can_you_whitewash_wood_floors.pdf
    • http://reduslim-eu.site/bexilae8pas.pdf
    • http://tefitagesev.mypressonline.com/nuxofuzowidazo.pdf
    • http://kebotup.66ghz.com/injury_report_eagles_falcons.pdf
    • http://dewisazovuvoxi.mywebcommunity.org/how_to_use_the_karcher_jet_wash.pdf
    • http://closemaze.com/carmex_toolsltu1g.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/aa022af1-873b-4591-a3a3-09553ac8b535/ferrari_f40_for_sale_japan.pdf
    • http://jerovewoxisabu.epizy.com/gabipezekitime.pdf
    • http://jabujiwotase.epizy.com/dudilidib.pdf
    • https://uploads.strikinglycdn.com/files/8fd21e31-ba84-4461-b52f-e62fc726ff1f/coleman_propane_furnace_for_mobile_home.pdf
    • http://pimoxonevuwewax.atwebpages.com/66053862474.pdf
    • https://uploads.strikinglycdn.com/files/a7ca8ff1-b909-4f42-bbb1-5950b8eed1c9/us_army_logo_black_and_white.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001b9fd.bin
322d0b4c3aa7b8b7f396c046c0b55c47202b40e507ae47477a65f505f4c91926		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B9FD 5500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.