Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdbbbe14c41728fb…

MALICIOUS

PDF

69.5 KB Created: 2021-03-27 14:59:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 343ed7cbe14c2eaf24dd4423c6a884e2 SHA-1: 3bb096f2728b114399d1feb0701880310fe4c160 SHA-256: bdbbbe14c41728fbd067c72ae822f647d0edc6df8eb4330b766dfe25d1ed19dd
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is detected as a malicious PDF by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URL that masquerades as a 'python data analysis tutorial pdf' to entice users to click, which is a common social engineering tactic. The PDF structure and embedded URI heuristic indicate the likely intent is to redirect the user to a malicious site for payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7003

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=python+data+analysis+tutorial+pdf
    • http://pupofikavize.iblogger.org/sql_server_2017_full_setup.pdf
    • http://mokugujumekov.sportsontheweb.net/93931948379.pdf
    • http://fanutoragozogow.sportsontheweb.net/barron_s_new_sat_download.pdf
    • http://foxiduwanati.mygamesonline.org/computer_definition_computer_science.pdf
    • http://hookup671.site/22734601417x1ron.pdf
    • http://dvestideyli.xyz/sogizagimoxijima0o7i.pdf
    • http://smotrikino.fun/litadefamews5sou.pdf
    • http://goproonly.com/mcdonalds_application_form_2020ys7uy.pdf
    • http://gadetebes.sportsontheweb.net/aristotle_categories_sparknotes.pdf
    • http://jotetifijenosif.iblogger.org/basic_computer_knowledge_file_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e3d49ce5-ddd5-44dc-a036-2715b11740e8/16587363502.pdf
    • https://s3.amazonaws.com/ximupuv/58284334762.pdf
    • https://uploads.strikinglycdn.com/files/45d93d22-f314-452b-9bd7-ccc4c1b41ffc/hp_officejet_4630_enable_scan_to_computer.pdf
    • https://uploads.strikinglycdn.com/files/a9543a14-ee60-4c12-97d6-f80016e0b529/zyxel_pk5001z_speed.pdf
    • https://s3.amazonaws.com/dafumuxitupav/collins_spanish_essential_dictionary_and_grammar.pdf
    • https://s3.amazonaws.com/fomudebipefasu/xoratujufejafajasene.pdf
    • https://s3.amazonaws.com/wiremeresegikon/fable_stories_in_english_with_moral.pdf
    • https://uploads.strikinglycdn.com/files/c9ef2c7a-04e8-4883-94e9-1503a4053b47/msi_geforce_gtx_970_gaming_4g_vs_gtx_1060_6gb.pdf
    • https://s3.amazonaws.com/suxuzubojut/banorte_reporte_de_extravio_de_tarjeta_telefono.pdf
    • https://s3.amazonaws.com/lowebemuwojiso/english_connectors_exercises_with_answers.pdf
    • https://s3.amazonaws.com/mafavuzenoliki/xugodojofipajegudoxe.pdf
    • https://uploads.strikinglycdn.com/files/a151f367-d4d9-479a-a0a7-9b82761991f1/with_president_johnsons_reconstruction_plans_the_southern_planters.pdf
    • http://zasogiw.epizy.com/tuluxixesuzel.pdf
    • https://s3.amazonaws.com/banula/how_to_remove_karcher_pressure_washer_pump.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001019a.bin
0fe6de7d0b228ec4604021675f6431165bd4ca360052856f5a95c8946352833b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1019A 4996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.