Malicious PDF — malware analysis report

Static analysis result for SHA-256 b86ac1d8b2a22476…

MALICIOUS

PDF

70.9 KB Created: 2021-03-27 18:45:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 27936238fda152853276153d54a072c1 SHA-1: fb06a6a864ba01981c9b260900c12f25513e4676 SHA-256: b86ac1d8b2a22476eb3de7f6f7c9f4ce4d2979958b375bbcee5e69d27281c567
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains invisible links that redirect to a malicious PDF hosted on 'securityofusersdevicesonline.site'. The document body, though heavily obfuscated, suggests a lure related to 'Disney beauty and the beast piano sheet music pdf'. The presence of PDF-specific heuristics and the ClamAV detection strongly indicate a phishing or malware delivery attempt. No scripts were extracted, but the redirection to a malicious PDF implies an attempt to exploit vulnerabilities or deliver a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6871

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/award?keyword=disney+beauty+and+the+beast+piano+sheet+music+pdf
    • http://masalev.ru/dollhouse_movie_ratingtf3u2.pdf
    • https://cdn.sqhk.co/sojowidaz/jjkARW0/best_hd_movies_bollywood_2019.pdf
    • http://esagafow.fun/chronic_bachelor_malayalam_movie_video_songsz20ol.pdf
    • http://securityofusersdevicesonline.site/146638983023m4nr.pdf
    • http://hookup756.fun/the_playbook_mike_bellafioreyrvs8.pdf
    • http://noviviludizafim.iblogger.org/how_to_switch_fios_ont_to_ethernet.pdf
    • http://zvezdasevera.online/74321406399g6t2v.pdf
    • http://bnatural.space/should_your_be_capitalized_in_a_title_ukct1om.pdf
    • http://bewerab.22web.org/apple_store_iphone.pdf
    • http://chambreapp.xyz/how_much_water_in_presto_pressure_cookeregjh2.pdf
    • https://cdn.sqhk.co/buzaxelubot/jfij9EE/rogatinabugotikepetar.pdf
    • http://wonnaturila.space/intimate_apparel_lynn_nottage9rgmv.pdf
    • http://komarovskii.xyz/apocalypto_full_movie_hd_tamil8nf1u.pdf
    • http://bubajeme.22web.org/29809535263.pdf
    • http://fresh-ita.space/overcoming_gravity_2nd_edition_exercise_chartssfpmb.pdf
    • http://devgame.design/90026526252z5u6s.pdf
    • http://beautytopshop.site/v_shred_custom_plan_reviewszx5b6.pdf
    • http://genusttwsr.fun/paxelu2rvv6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/nuxulikiwab/apeman_a70_manual.pdf
    • https://s3.amazonaws.com/lakujusitejojet/bevedofakoborupigojulog.pdf
    • http://fasujenijasezos.rf.gd/suncast_auto_rewind_hose_reel_lowes.pdf
    • http://poziluxolebulu.epizy.com/19188546665.pdf
    • https://s3.amazonaws.com/gekixadonuru/songtekst_jonathan_livingston_seagull.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f21d.bin
23c5b558d002808196d555b0afe11d209d7eca99d71768877670f984c432abf8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF21D 5388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.