Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7c69db1d24fd51f…

MALICIOUS

PDF

43.5 KB Created: 2020-11-12 21:48:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: da1b07f3ca6b5b3c280d66b5a9b49ca0 SHA-1: 9e3d905dea18e843c6102082acc8b5d9e6217625 SHA-256: c7c69db1d24fd51fb572ed1fad787236b7045b487d16b1b35e392ae1e4af61ed
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF document that contains a URL disguised as a service manual. The presence of the 'SE_LOLBIN_RUN_COMMAND' heuristic and the ClamAV detection indicate malicious intent, likely to redirect the user to a phishing or malware distribution site. No scripts were extracted, but the overall structure and heuristics point to a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5298

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/aws?utm_term=cessna+150m+service+manual
    • https://cdn-cms.f-static.net/uploads/4386337/normal_5f9f313c04826.pdf
    • https://cdn-cms.f-static.net/uploads/4450734/normal_5fa7b3416b50c.pdf
    • https://cdn-cms.f-static.net/uploads/4411501/normal_5f95bf5d891cc.pdf
    • https://cdn-cms.f-static.net/uploads/4405179/normal_5f95eee3bfe2a.pdf
    • https://cdn-cms.f-static.net/uploads/4366057/normal_5fa2958a70983.pdf
    • https://uploads.strikinglycdn.com/files/da121a6c-0688-4538-8a34-aeafc52b6690/bufoguzibalepelobet.pdf
    • https://uploads.strikinglycdn.com/files/bc7bb71f-a5c2-49ad-b0a6-a2b17e6fb23f/nofimero.pdf
    • https://uploads.strikinglycdn.com/files/20266415-4df3-4df7-9240-8fc45413895e/bainbridge_mass_spectrometer.pdf
    • https://uploads.strikinglycdn.com/files/e5e93f16-33dc-4ba2-993d-a3d66a6b88a5/fenojisaneduvufuxiji.pdf
    • https://s3.amazonaws.com/najubu/stateless_episode_6.pdf
    • https://uploads.strikinglycdn.com/files/efcc31de-88c7-452f-bb70-84e536dcd4c7/36156121646.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.