Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4b45ab3264d5a23…

MALICIOUS

PDF

81.0 KB Created: 2021-05-17 19:24:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: cee892f1d5a7f9ea92374949f17bc266 SHA-1: 78e6ea736e1062c0bab3438baf7c40c3d564c354 SHA-256: c4b45ab3264d5a231c56014387a02597fdf4b25662a984435287295159a4ec6a
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains a lure for a Nespresso offer, likely to trick users into clicking a malicious link. The ClamAV heuristic identified it as Pdf.Phishing.Trojan, and an external URI was found pointing to a suspicious domain. While no scripts were directly extracted, the PDF structure and embedded URLs suggest a phishing attempt designed to lead the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4546

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/strik?utm_term=nespresso+150+capsules+welcome+offer+uk PDF link annotation
    • http://kajejib.medianewsonline.com/washington_black_book.pdfIn PDF document text
    • http://dontbeshy.xyz/bexatelustexbl.pdfIn PDF document text
    • http://vexasefagi.scienceontheweb.net/bus_eireann_109a.pdfIn PDF document text
    • http://wozovumorawoka.sportsontheweb.net/57442489504.pdfIn PDF document text
    • http://trening-ekaterinodar.ru/ezgo_golf_cart_wiring_diagram_gas3hcg5.pdfIn PDF document text
    • http://glasshookahcatering.com/93825951958as3w0.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://307a23dc-bb60-4906-9a68-69e45957aa19.filesusr.com/ugd/d2057d_8558818bfea549c79b5bae14a3211fc9.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/rabewiruzitewa/vosetilupiduk.pdfIn PDF document text
    • http://nifusotajezunur.atwebpages.com/alcoholismo_crnico.pdfIn PDF document text
    • https://37bcb4aa-7747-4ff6-a352-0e22bf983c21.filesusr.com/ugd/4393d3_ea97d41e5d6344d89a1cf28ba3e399e0.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/rufonali/gezebudumekekuzilolodub.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/385c8953-aeb0-439d-a82b-3845856b4ae1/fundamentals_of_engineering_thermodynamics_8th_edition_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b0cdb61a-dc41-408a-936c-d00f03a1dd30/the_mortal_instruments_city_of_bones_graphic_novel.pdfIn PDF document text
    • https://s3.amazonaws.com/ladojenefe/bible_verse_that_the_holy_spirit_is_god.pdfIn PDF document text
    • https://a50dbba5-e4fd-40cc-afa9-a45495a5accf.filesusr.com/ugd/7f929b_99c87485fa6447d8a2394de327942023.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/dowadotiju/18842143050.pdfIn PDF document text
    • https://de461234-8179-4892-b46d-67dc01ae00af.filesusr.com/ugd/69bbc5_a2bbb832f1a646d9adbac5c73b4c535c.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/mexijegedakol/family_feud_review_game_template.pdfIn PDF document text
    • https://s3.amazonaws.com/litunux/ctet_question_paper_with_answer_2019.pdfIn PDF document text
    • https://s3.amazonaws.com/redegelesibif/sword_art_online_progressive_manga_reddit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b7a8728-d2e1-40ec-9b31-f7ddc776ae97/the_white_tiger_movie_cast.pdfIn PDF document text
    • http://salajire.onlinewebshop.net/josuvekizaxonitamivi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/30dfbef5-5398-4c33-aa06-049ae0e4915e/adobe_acrobat_pro_2017_license_key_location.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010311.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10311 5604 bytes
SHA-256: c5397f373e282e258225273ea5ff1ac4440085bddb717b4579a8f28e1ff8fe87
font_01_sfnt_off00011634.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11634 12480 bytes
SHA-256: 7b7cf27b5605bba13cc74053e35a98d4f9beb20cf474dfaa980435e7859577e3

Open this report in the interactive analyzer, or submit your own file for analysis.