Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb9809a2ceed5603…

MALICIOUS

PDF

73.6 KB Created: 2021-03-20 18:21:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: abab7d732311d7e6abc09aeb47e9b684 SHA-1: 8a8580898bba22cf40c2c520a30d94903d7afb84 SHA-256: cb9809a2ceed56038d7cd4d19ad2a21ca402395dfe22c8a13507fe36fb6a1db8
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a high-confidence ML classifier and ClamAV, as malicious. It contains an embedded URI pointing to 'https://nipisod.ru/award?keyword=aws+ec2+tutorial+pdf', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to AWS EC2 tutorials, aiming to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9935

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=aws+ec2+tutorial+pdf
    • https://cdn.sqhk.co/jazumagefo/haNgfjd/basketball_stars_mod_apk_2019.pdf
    • http://detonic-deutschland.website/best_questions_and_answers_in_an_interview84k5t.pdf
    • https://cdn.sqhk.co/pavupaken/Ughttat/vibizokisomagejuf.pdf
    • http://feziweninepiv.iblogger.org/6267955414.pdf
    • http://scrlt.xyz/2559554383309bqb.pdf
    • http://matroskin.space/52907376540tewb5.pdf
    • https://cdn.sqhk.co/doxinotilid/V6ifz4t/31393362092.pdf
    • http://meblik.su/nuvonu0c2zi.pdf
    • https://cdn.sqhk.co/vanewano/eieuxil/daruzigewuwopefaperigo.pdf
    • https://cdn.sqhk.co/xawobovuji/ja43vid/50544506518.pdf
    • http://hallop.xyz/barsat_film_song_videomsigf.pdf
    • http://sebofafekorav.iblogger.org/wepur.pdf
    • http://cetakchantek.com/sodium_nitride_is_ionic_or_molecularobjwa.pdf
    • http://help-lnstagramcopyrights-verify.com/t_mobile_high_speed_home_internetkg9tm.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/5553586c-0151-41c9-a326-36e9feb397d9/ashab_e_kahf_in_urdu_full_movie_free_download.pdf
    • http://vogufobitag.epizy.com/integral_calculus_inverse_trigonometric_functions_sample_problems.pdf
    • https://uploads.strikinglycdn.com/files/c235137a-4898-4824-aba3-a5e330333e91/m-audio_keystation_88_program.pdf
    • https://uploads.strikinglycdn.com/files/c798c10f-2d37-44ba-86d6-85b4b9c16148/what_does_the_term_dead_to_the_world_mean.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e335.bin
e7e62ef21f71deea207f61eab21d9aeca9905aea00fe7b3870067b417c1a27f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE335 5140 bytes
font_01_sfnt_off0000f4d6.bin
6320a5c9c2ac73a0bf9adadd419d67f2b33907631726dc9929585823dc5b42d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4D6 10760 bytes
font_02_sfnt_off0001197d.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1197D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.