Malicious PDF — malware analysis report

Static analysis result for SHA-256 c730d4a20f3d0e56…

MALICIOUS

PDF

60.6 KB Created: 2021-01-17 12:59:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: de1e0070131eb625d590fd6e5614d9e3 SHA-1: 7a87e919075e5f12eaa5ceda804b03f77a876c1d SHA-256: c730d4a20f3d0e56484c9517e633cba8ea13cc15f74eb9e51719df0c8a95b357
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by multiple heuristics and a machine learning classifier. It contains an embedded URI pointing to a URL that appears to be a lure for 'fall guys early access mobile'. While no scripts were explicitly extracted, the PDF structure and the presence of external URIs suggest it's designed to redirect the user to a malicious site. The ClamAV detection further supports its malicious nature, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8016

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/wb?keyword=fall%20guys%20early%20access%20mobile
    • https://cdn-cms.f-static.net/uploads/4392452/normal_5fb8adf01df53.pdf
    • https://site-1168401.mozfiles.com/files/1168401/can_birds_fly_without_flapping_their_wings.pdf
    • https://site-1172726.mozfiles.com/files/1172726/kadimoretul.pdf
    • https://site-1176664.mozfiles.com/files/1176664/chicken_bacon_goat_cheese_pasta.pdf
    • https://cdn.sqhk.co/barugogip/cjjgjib/interesting_stories_to_read_online_for_free.pdf
    • https://cdn.sqhk.co/kapideto/gchjjdl/dungeons_mod_for_mcpe_apk.pdf
    • https://site-1173658.mozfiles.com/files/1173658/manual_of_chess_combinations_pgn.pdf
    • https://site-1171656.mozfiles.com/files/1171656/64957419101.pdf
    • https://site-1174236.mozfiles.com/files/1174236/75837865046.pdf
    • https://cdn-cms.f-static.net/uploads/4365586/normal_5fd787d922799.pdf
    • http://wizatone.iblogger.org/in_cryptography_what_is_cipher_mcq_answers.pdf
    • https://site-1174390.mozfiles.com/files/1174390/augmented_reality_games_for_android.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://xumizaxojumiko.epizy.com/marathi_bhakti_song_ringtone.pdf
    • http://zelogano.epizy.com/making_a_play_abbi_glines_epub.pdf
    • https://s3.amazonaws.com/tikoweravisixu/reporte_climatico_en_ingles.pdf
    • http://moxododokojuke.epizy.com/cetocort_pomada_bula.pdf
    • https://s3.amazonaws.com/biwuwukesazef/likusesavowefujefavugis.pdf
    • http://wivowutone.epizy.com/edtpa_lesson_plan_template_ny.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d36e.bin
4f0b22f7d2f740a85ee87795445b556d18bca02405d5b8504357089783e009ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD36E 5012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.