Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccd614ca3685494d…

MALICIOUS

PDF

73.3 KB Created: 2021-05-21 13:53:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d0d4e45be16781cfc348dcc36e642a7b SHA-1: a7150c97ad810e6ce8df7eef6a038613d5ff001d SHA-256: ccd614ca3685494d599ca0edf389db49092ec8f0168c7dbe4808f594595687a7
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of multiple embedded URLs, many of which are unknown or lead to suspicious PDF files, suggests a phishing or malware distribution campaign. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8388

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.virtualaid.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160a1aa30d9e50---kegusijak.pdf
    • http://kystop.com/wp-content/plugins/super-forms/uploads/php/files/j5hi9a73m4m09fth8ujkj2e152/puvojijisujupumes.pdf
    • http://amazingindiaphotos.com/amazingindiaphotos//upload/fckimage/file/5980810496.pdf
    • http://cetinelektrik.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/16085e75b9af61---73618528429.pdf
    • https://seroinstitute.com/wp-content/plugins/super-forms/uploads/php/files/a868946df32a7535ad4077a75b9bcfb7/75338117704.pdf
    • http://perfectthesale.com/wp-content/plugins/formcraft/file-upload/server/content/files/160943b0444327---68641560389.pdf
    • https://teenvolunteer.org/wp-content/plugins/super-forms/uploads/php/files/f3d2dd3263b94a500afd85dab489b418/vofitafewe.pdf
    • https://olgapopovaphoto.com/wp-content/plugins/super-forms/uploads/php/files/eedc74cadc3f38e01333464cedf98eaf/77641077536.pdf
    • https://www.adilaltinsoy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e2ead6540a---babere.pdf
    • http://training-solutions.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160760bc6b1285---48959191908.pdf
    • https://tirthmobile.com/wp-content/plugins/super-forms/uploads/php/files/bocno4vcuia73oflufgpiq0fbm/jipiwegidebeme.pdf
    • http://topas.lt/userfiles/file/denajix.pdf
    • https://bbpartner.cz/userfiles/file/61397994140.pdf
    • http://myucmas.com/userfiles/file/93806525598.pdf
    • http://www.atrium-tuiles.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608ed59d22adf---79240266192.pdf
    • https://www.tai.gr/wp-content/plugins/formcraft/file-upload/server/content/files/1608b87e96543f---gomawube.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/DOqCt-cVA4I/uplcv?utm_term=l%25E1%25BB%258Bch+s%25E1%25BB%25AD+v%25E1%25BB%2581+t%25E1%25BB%2595ng+th%25E1%25BB%2591ng+ng%25C3%25B4+%25C4%2591%25C3%25ACnh+di%25E1%25BB%2587m
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ffb7.bin
56c95deb8681457e71b9d194b169059f81c1ad14314a7b0b2c2f945c282aa715		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFB7 5880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.