Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3e837960a07892c…

MALICIOUS

PDF

66.8 KB Created: 2021-02-28 16:28:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ed57570614c7e4e6981e88aa24c1a839 SHA-1: bd7f0f22ce8ab983bcd55310592c405efc2e5229 SHA-256: d3e837960a07892c3340c2d4fe85216061370ca2a8db6001a6c87f714b991e03
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a URL that appears to be a phishing lure, disguised as a free download for 'advanced calculus'. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution. No scripts were extracted, but the embedded URI is a primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7801

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=advanced+calculus+pdf+free+download
    • http://lenuvivureropi.scienceontheweb.net/40828744875.pdf
    • https://taleputara.weebly.com/uploads/1/3/4/3/134305900/xulatabejimojo_delaxu.pdf
    • https://kobizixudowizeb.weebly.com/uploads/1/3/4/4/134402546/jalejisan-jurukopasomo.pdf
    • http://tonedomopoja.scienceontheweb.net/5668499497.pdf
    • https://tedamitaza.weebly.com/uploads/1/3/0/7/130740371/1e38b1d8.pdf
    • https://mitiguranam.weebly.com/uploads/1/3/4/4/134456526/bcb703d760ec.pdf
    • https://cdn-cms.f-static.net/uploads/4495860/normal_6018029208908.pdf
    • https://cdn-cms.f-static.net/uploads/4412767/normal_602e1df0118af.pdf
    • https://cdn-cms.f-static.net/uploads/4468268/normal_600ea05fe69c9.pdf
    • https://mujabimebedegi.weebly.com/uploads/1/3/4/2/134234846/terowazojiwibesixa.pdf
    • https://static.s123-cdn-static.com/uploads/4393628/normal_5fc9dcaa599ba.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://monudoxufanexax.rf.gd/7538526181.pdf
    • http://jovesupegomiz.epizy.com/jenn_air_convection_oven_how_to_use.pdf
    • http://pagupim.epizy.com/55432577137.pdf
    • http://bikaxubu.rf.gd/rowdy_baby_hd_video_free.pdf
    • http://gilebufamefaf.rf.gd/85828734516.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d5e8.bin
d72059d5ab1d4ab857adce6152b010466e01ccdab2db97b093f2a6079cfb61df		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD5E8 5044 bytes
font_01_sfnt_off0000e72d.bin
30bbce9a60132ab5840b03a05a404b4d8855f98ba903d85026c228254504e1b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE72D 10184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.