Malicious PDF — malware analysis report

Static analysis result for SHA-256 d092a27392c5143d…

MALICIOUS

PDF

91.6 KB Created: 2021-03-15 21:04:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 758b4e215a143f7307114f85a51c60d9 SHA-1: f5d125beb707098decb3eb7a79d20a4f8b16b833 SHA-256: d092a27392c5143d07e6f13d126e190e5208c7cf9ccdfd09faf7f0c08a367e95
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that mimics a search result, likely to trick users into visiting a malicious site. ClamAV detected this file as a phishing trojan, and ML classifiers also flagged it as malicious. No scripts were extracted, but the presence of an external URI and the overall detection suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8941

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/aws?utm_term=is+mortal+kombat+legacy+canon
    • https://cdn-cms.f-static.net/uploads/4413236/normal_6036a0155d4b7.pdf
    • https://cdn-cms.f-static.net/uploads/4501198/normal_604d20097ea92.pdf
    • http://pawezujexas.mywebcommunity.org/putavugusosorejulu.pdf
    • http://gidujoluj.mypressonline.com/bank_nifty_books.pdf
    • http://zakewabo.scienceontheweb.net/15695561971.pdf
    • http://rodojad.iblogger.org/what_the_bible_says_about_strong_wine.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zumezeviwakiz/puwalafojewite.pdf
    • http://vavuliremu.rf.gd/how_to_tell_if_you_have_a_geothermal_heat_pump.pdf
    • http://weralawubuzeg.epizy.com/3w_clinic_fresh_mask_sheet_review.pdf
    • https://s3.amazonaws.com/rodakarugupoko/54076716413.pdf
    • http://musizaxodolof.epizy.com/printable_5-_tab_divider_template.pdf
    • http://gakilasefit.myartsonline.com/jorurofetefuduripobi.pdf
    • http://xajizufobuvofo.epizy.com/koboridosukubatenebator.pdf
    • http://pekagotikoweguf.epizy.com/rasudetimenofapofedom.pdf
    • http://desiwafinu.epizy.com/certificate_of_completion_construction_form.pdf
    • https://s3.amazonaws.com/mutirexa/14190223433.pdf
    • https://uploads.strikinglycdn.com/files/1aeb29fe-5bfb-48e0-87d3-bb49c516ebb6/if_the_savior_stood_beside_me_lyrics_and_chords.pdf
    • https://uploads.strikinglycdn.com/files/4edf4164-0813-47f4-8721-ad27baeec87d/sipumebopowimurulom.pdf
    • https://s3.amazonaws.com/dinigugaxej/email_cheat_sheet_apple.pdf
    • http://tesoxukezeziles.epizy.com/look_back_in_anger_text.pdf
    • https://uploads.strikinglycdn.com/files/5b8becd0-9373-4cd4-a19b-3d0466c78887/dunkin_caramel_iced_coffee_black_calories.pdf
    • https://s3.amazonaws.com/xanunafojuloki/action_verb_worksheets_for_grade_2.pdf
    • http://tijopuzotozume.rf.gd/dofakisajoki.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014717.bin
3b7ef0894139814cedc2ca703c38df33e959fc646087e2b5392da8e2492e6c52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14717 5100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.