Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf6d141767fe53b1…

MALICIOUS

PDF

66.8 KB Created: 2021-03-19 15:58:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0b269be5d9b7ccd97f67eef7acc6d544 SHA-1: 80e16c6ebac6e0440e4fe27130722037d6b739f1 SHA-256: cf6d141767fe53b11a0243f8698ab18267e2e2a907b8fb4c45b625e611939361
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The PDF contains an embedded URI pointing to a suspicious domain, likely intended for phishing or malware distribution. The document body, though heavily obfuscated, suggests a lure related to 'basic english grammar book 2 pdf'. No scripts were extracted, but the presence of external URIs and the malware detection strongly suggest a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7003

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=basic+english+grammar+book+2+pdf+saddleback+pdf
    • https://zabaparadasikid.weebly.com/uploads/1/3/4/3/134317604/buwaxopiw.pdf
    • http://zuraleres.mywebcommunity.org/come_on_eileen_sheet_music.pdf
    • http://mulisefetijasal.iblogger.org/3.5_e_eberron_campaign_setting.pdf
    • http://kopalirigel.mypressonline.com/pexuvodakox.pdf
    • http://libertinemodels.com/breaking_rules_quotes_tumblrt0x7f.pdf
    • http://sowakowakemim.mygamesonline.org/komplikasi_avian_influenza.pdf
    • http://mobile-media.moscow/17877748530ra6yz.pdf
    • https://muvilafopa.weebly.com/uploads/1/3/4/5/134502810/rovaloduzu_xewixidap_joxijumobufebek_towulidolof.pdf
    • http://clientbluebadge.com/7520829639157nu.pdf
    • http://digosige.mywebcommunity.org/42259307518.pdf
    • http://wide-mean.top/sap_tutorialapuih.pdf
    • http://opt15.ru/gikemukam2bs8.pdf
    • https://zajutarox.weebly.com/uploads/1/3/0/8/130814803/mavonakalapazi-gigidogaz-newanasowex-lagaw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://tufelorit.rf.gd/61117357256.pdf
    • https://uploads.strikinglycdn.com/files/540f2d76-5d81-4031-b96d-03af206ee44a/35896586523.pdf
    • https://2ac56fc1-f7ee-4366-9cb2-1681469c68ee.filesusr.com/ugd/b914b5_724266b870034acca0c699474e769076.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9a9c06d1-5afc-43e9-b7f3-19e4a4c2478a/dowonajukodosawe.pdf
    • http://tiwedozesa.atwebpages.com/accounting_principles_10th_edition_free.pdf
    • https://ce55c564-0e79-48ac-bd91-a034cff8554b.filesusr.com/ugd/bd1fc0_4b360b4ad2154b57837f4b585f8c07e3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d9bb0959-2b02-42f3-b4c7-db9f27655f08/ronamemolidusudepopunir.pdf
    • https://uploads.strikinglycdn.com/files/8f095685-fde7-4695-95cb-48fe47ddf79b/55085901368.pdf
    • https://uploads.strikinglycdn.com/files/fd52065a-0d5f-4933-9eef-b9a419075f58/body_rider_dual_trainer_replacement_belt.pdf
    • http://jesasudazewur.epizy.com/grohe_shower_mixer_valve_not_working.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e92f.bin
fc187c125bf56d9741c6356e28b523149b36de7dc1675c996c8c50fe9b7ae17f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE92F 5956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.