Malicious PDF — malware analysis report

Static analysis result for SHA-256 c28b1dfb1f409c5f…

MALICIOUS

PDF

72.2 KB Created: 2021-03-18 00:59:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 646ef34af30824d76bdc080414cc2062 SHA-1: cb73528fd941722e6f5384c8f1c03aa5b8f977f9 SHA-256: c28b1dfb1f409c5fc9181f5f9618a9a40c071de875d918c3b441f024710979e8
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document detected as malicious by ClamAV and an ML classifier. It contains embedded URLs, one of which is `https://jacksth.ru/award?keyword=comparatif+centrale+vapeur+que+choisir+pdf`, suggesting a lure to a phishing or malware distribution site. While no scripts were explicitly extracted, the PDF format can embed JavaScript, and the presence of multiple unknown reputation URLs indicates a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7584

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=comparatif+centrale+vapeur+que+choisir+pdf
    • http://verification-help.business/digital_economy_taxation_act_of_20200nsav.pdf
    • http://qrettalq.online/voice_access_not_workingxat96.pdf
    • http://watertea.space/66972073642ivxdv.pdf
    • http://nokiwurugibub.mypressonline.com/javascript_decode_base64_string_to.pdf
    • http://golden-bridge.pro/python_coding_for_beginners_book33lva.pdf
    • http://hellesypakk.online/gorowixe86h9j.pdf
    • http://ses-sanobrabotka.ru/19834506995vqga9.pdf
    • http://jovefupe.mywebcommunity.org/decision_tree_in_system_analysis_and_design.pdf
    • http://ekzo-fruit.ru/godajursjcah.pdf
    • http://nakodinita.scienceontheweb.net/80031197169.pdf
    • http://paruweropu.iblogger.org/ranalisotobugima.pdf
    • http://skidki-day.site/58456248066g0f5a.pdf
    • http://jozipuvuwuzaj.mywebcommunity.org/85397421986.pdf
    • http://kiwikinixibiko.iblogger.org/babofotusovevukunod.pdf
    • http://erogan24.website/vepezafglq4d.pdf
    • http://tizezs.xyz/la_crosse_technology_clock_instructions9qxqi.pdf
    • http://naturebiolog.fun/ken_waters_pet_loads_30-06axxq0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://xafexuw.epizy.com/53275354268.pdf
    • https://uploads.strikinglycdn.com/files/52e609d4-c3fe-46c6-9f5d-1eb71138302e/krugman_and_wells_economics_4th_edition_answers.pdf
    • https://uploads.strikinglycdn.com/files/50f07755-4d45-4ae6-8991-535c184b801d/vixurevixadoru.pdf
    • https://uploads.strikinglycdn.com/files/8a08569d-73c9-4e16-aff2-b8186ecca6ce/20763162862.pdf
    • http://vobununebufipu.rf.gd/7373734229.pdf
    • https://uploads.strikinglycdn.com/files/b43790a9-4cd6-4939-b640-8a271886acd9/international_mail_cost_calculator.pdf
    • https://uploads.strikinglycdn.com/files/2706218e-93ae-4d5f-9935-037965a80a5c/15177401323.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f081.bin
49a9b3cca9cae3af7a8e8f2af877926778284b171eb12701e685a444dc6b5f41		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF081 5484 bytes
font_01_sfnt_off000102fa.bin
49391178ca5ad583d44473f6e85919fdb00c7f9a6740525cdca72e3fe29c1cd2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102FA 11928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.