Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9fcbc202d11f220…

MALICIOUS

PDF

74.2 KB Created: 2021-04-27 05:50:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6905674d3e9e5a6a41b4ac1a9aac05fc SHA-1: 4831024ba799f1de6cb355dca9050d7f738c148b SHA-256: b9fcbc202d11f220b7c5f2561cac6eb5fdba145b7e7a7cc82b0323e496590494
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, contains keywords related to 'safety glasses' and 'home depot', suggesting a lure to trick users into clicking the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8022

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/strik?utm_term=nemesis+safety+glasses+home+depot
    • https://cdn.sqhk.co/posojuvapono/jgfz41g/goal_goal_tips_apple.pdf
    • https://cdn.sqhk.co/pizokifuxe/jaigakt/tuwinovudikuxuminurituni.pdf
    • https://cdn.sqhk.co/migefareg/CpgcggU/zesibaselesuxow.pdf
    • https://cdn-cms.f-static.net/uploads/4366995/normal_603a07616e24f.pdf
    • http://neliwiveles.22web.org/formulas_for_geometry_shapes.pdf
    • https://cdn-cms.f-static.net/uploads/4485698/normal_600fa5287641c.pdf
    • https://static.s123-cdn-static.com/uploads/4387430/normal_5ff09c56797f5.pdf
    • https://cdn.sqhk.co/jipogidara/gjgidgj/61324909981.pdf
    • http://lamigix.iblogger.org/october_november_2018_calendar.pdf
    • https://cdn-cms.f-static.net/uploads/4403954/normal_603be1abd1846.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://5efcf519-4c71-4be9-a00f-e1d47ba804c5.filesusr.com/ugd/ebcc4b_41add711143243229df7929cefc8eab6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8ad5c7fc-8da3-4690-8cb1-200035673392/why_is_my_badger_garbage_disposal_leaking.pdf
    • http://minazefawubiso.epizy.com/what_is_the_instrument_used_to_measure_body_temperature.pdf
    • https://s3.amazonaws.com/vibasujefir/vupufuwofur.pdf
    • https://uploads.strikinglycdn.com/files/8dcf64e3-855b-48db-bca0-b6fb46811c29/tiduxavedadalob.pdf
    • http://kataribijinezej.epizy.com/69938341846.pdf
    • https://s3.amazonaws.com/viregujipowuru/do_moon_signs_change.pdf
    • https://uploads.strikinglycdn.com/files/97b15721-fc8c-42ae-9b5f-a6f77f6eee36/we_the_animals_book_vs_movie.pdf
    • https://uploads.strikinglycdn.com/files/d89215c4-37c3-47fc-994a-1ae530fc4275/48701447318.pdf
    • https://s3.amazonaws.com/sepovutapakogaf/tujowudagelilogerugabom.pdf
    • https://s3.amazonaws.com/pipaneku/acecqa_nominated_supervisor_information_sheet.pdf
    • https://7f993087-45f6-41f4-96e5-9dcaca18fb91.filesusr.com/ugd/9a92dd_2a633164045c4286bb2e85ddfc69d7a3.pdf?index=true
    • https://s3.amazonaws.com/bulalowisu/frp_bypass_application_free.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010782.bin
7c945713bb3bcad5de2ee6948708871c9168cbef1b711e008a62fa2bedee2cd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10782 5432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.