Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3126fd9baaf4203…

MALICIOUS

PDF

65.1 KB Created: 2021-04-29 18:52:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 18b991056061eed6691718c774ee75f2 SHA-1: ea366282cc2c34835cd1255d00aa0a42f10744cb SHA-256: c3126fd9baaf42037e572579b9eb9675358a3f9e5a466f772cc0938ac9f88e01
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating it is likely a phishing or trojan delivery mechanism. The embedded URLs suggest an attempt to redirect the user to download further malicious content, potentially exploiting vulnerabilities within the PDF reader.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8519

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.garriagricola.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b6369dfe01---60243860557.pdf
    • https://fiambreszav.com/wp-content/plugins/super-forms/uploads/php/files/af683e906dd7159fa8eadbf1fb3f0a1b/86440776934.pdf
    • http://amuseonline.com/absite/userfiles/file/98850801789.pdf
    • https://rlvanstory.com/wp-content/plugins/super-forms/uploads/php/files/52c1c62107eabc57fbb81781215f4311/jajupomugaroxe.pdf
    • https://ewms.vn/wp-content/plugins/super-forms/uploads/php/files/9prfsct8icv51n2rm1lon1no0s/76782767290.pdf
    • https://www.davinci.dk/wp-content/plugins/formcraft/file-upload/server/content/files/16077893743749---95607158515.pdf
    • https://autotrilogy.com/wp-content/plugins/super-forms/uploads/php/files/9de02ed15861beef57d78bd256922efd/guxevutefipikavoxesemar.pdf
    • http://www.maoles.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608214f6b88fb---91973025149.pdf
    • http://zadonskiy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160875344b1c06---29408107473.pdf
    • https://www.crossfitparamaribo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f5985ce858---33341650910.pdf
    • https://www.perfumista.co.uk/wp-content/plugins/super-forms/uploads/php/files/f8407b998938b5719f725e294efbb3db/zazubefemedaxud.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081863e26f86---zibunibowofegolotaz.pdf
    • http://indiebookoftheday.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087995f17750---dujufakitobutomanenox.pdf
    • http://musorcentrum.hu/files/article/file/68663012489.pdf
    • http://dmn.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1607ee674a4561---65201253716.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=butterfly+printable+template
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d323.bin
1b04f3570c97a667f686d833db126db6a2ba5bc964bae4b9a368b7e94e4d450c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD323 5160 bytes
font_01_sfnt_off0000e4a5.bin
7e12294b13111adf0925cadf6fc205a689acc863bb5e4684e8d035adb6c6881a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4A5 10808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.