Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca240fd16122e812…

MALICIOUS

PDF

92.7 KB Created: 2021-04-01 11:29:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 710f89672910f0b1dce071f333463ee3 SHA-1: 496adc3b61e2cb88626e5ce9cd86dccbc81012e2 SHA-256: ca240fd16122e812b7f6548ef745d03bf52beaf8096d3396bb31bfad727a3e19
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing indicating an external URI, specifically 'https://lozipotod.ru/award?keyword=avicel+dg+pdf'. This URL is likely part of a phishing attempt to trick the user into believing they have won an award. The ML classifier and ClamAV detection further support the malicious nature of this file, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8504

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=avicel+dg+pdf
    • http://apparentlyopt.com/2004_dodge_ram_1500_hard_starting_problemspss4s.pdf
    • https://cdn.sqhk.co/jimatoju/gjaXwgi/vans_kalido_color_block_shirt.pdf
    • https://cdn.sqhk.co/fitodofafe/TicBbii/mupadidapamogibujorajivig.pdf
    • https://cdn.sqhk.co/romumoxoleno/ih4Csia/80159780089.pdf
    • http://mijuxub.66ghz.com/39450509590.pdf
    • https://cdn.sqhk.co/leruwexikud/exdTii1/the_lark_balakirev_sheet_music.pdf
    • http://umniashka.ru/los_escritores_de_la_libertadzgit3.pdf
    • https://cdn.sqhk.co/sowotewope/sjeGkgh/versace_chain_reaction_blue_white_red.pdf
    • https://cdn.sqhk.co/bujasugawo/mo7ihhi/fantastic_fishing_mod_apk_android_1.pdf
    • https://cdn.sqhk.co/kigimole/R6jcrRr/car_racing_simulator_3d_mod_apk.pdf
    • http://dunigaki.22web.org/tizuwivekiwidiga.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://sorotugi.epizy.com/30467136227.pdf
    • https://9005a25f-7293-4a73-bb0f-bc58e8c16807.filesusr.com/ugd/e3834b_8ca1d986ca75493683774c481d15a862.pdf?index=true
    • https://17673d3b-e5d0-4e0e-8211-f079fadf35f5.filesusr.com/ugd/13ae68_b9b0e5040d3d40ad92d25971df1bc096.pdf?index=true
    • http://valamujunitun.epizy.com/army_hurt_feelings_report_word_doc.pdf
    • http://jusarif.rf.gd/how_to_get_extra_high_school_credits_online.pdf
    • https://0502d5d0-a0f5-47b8-bc1c-644c46e4e431.filesusr.com/ugd/6cabbb_7fe12d01b61145bbb70b97bbe58afc6f.pdf?index=true
    • http://fanulatanaz.rf.gd/pelazido.pdf
    • https://3176e400-c268-4dc0-8d69-08eae86937f8.filesusr.com/ugd/ea2f88_6c8a3df257c144339c9180d24c8b987c.pdf?index=true
    • http://wuparol.epizy.com/automobile_engineering_textbook_in.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016337.bin
a463362a1dda013fabcc86a991adbf7b6bf48c173b0cd9aa6cb9ea8600cb040d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16337 4888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.