Malicious PDF — malware analysis report

Static analysis result for SHA-256 da1a813e5901fd51…

MALICIOUS

PDF

66.6 KB Created: 2021-03-27 21:31:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cc4185d529e61fedff15fc2498ccc6ea SHA-1: 1f09031bbc1bb05bf3ec196937a5eea9d71f6845 SHA-256: da1a813e5901fd511559c2cc67c09409ce4aa8c88b060be558be933b7f763e93
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an embedded URL that directs users to a suspicious domain, likely to download a secondary malicious file. The document body, though heavily obfuscated, contains keywords related to 'Navy seal requirements', suggesting a social engineering lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9448

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/aws?utm_term=navy+seal+requirements
    • http://jaxagogilexet.sportsontheweb.net/zodugos.pdf
    • http://hrushch.space/928303435oitw1.pdf
    • http://samoe-samaya.ru/basidiomycota_fungioamm5.pdf
    • http://lazinuno.scienceontheweb.net/medovipiretujokifad.pdf
    • http://septiki-rf.website/ridardv7wq.pdf
    • http://daludaja.getenjoyment.net/83683223144.pdf
    • http://serawuv.mygamesonline.org/45013979647.pdf
    • http://streichpack.online/honeywell_android_scanner_settingsxa829.pdf
    • http://ecoterritory.store/school_mark_sheet_in_excel_formatl0ptr.pdf
    • http://normab-id.com/5_steps_to_a_5_ap_english_language_2soh30.pdf
    • http://mesutilixuta.sportsontheweb.net/close_reading_annotations.pdf
    • http://axecheat9.xyz/vocabulary_words_with_meaning_in_tamil7okkz.pdf
    • http://dreamingdeveloper.com/82205559346sxikb.pdf
    • http://topsalon.xyz/how_to_connect_zen_thermostat_to_wifio0kai.pdf
    • http://xoroketogejuxe.mywebcommunity.org/kenwood_kdc_138_wiring.pdf
    • http://hopecommunitynaz.com/4172704915861faw.pdf
    • http://narovomesizi.medianewsonline.com/61044029487.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://xafuvarajuxeg.epizy.com/scert_text_books.pdf
    • https://uploads.strikinglycdn.com/files/8ccff577-b638-42c9-8c5a-9ca1da9c541d/how_bad_can_it_be_lorax_lyrics.pdf
    • http://bokatevifelu.epizy.com/37489744692.pdf
    • https://uploads.strikinglycdn.com/files/d5bc0e73-129e-4cc7-99eb-c47904c3b2c0/nespresso_lattissima_touch_buttons_guide.pdf
    • https://uploads.strikinglycdn.com/files/8e0170ac-c663-46b4-aa6f-4068e398f695/posujiwefisudel.pdf
    • http://bolonovanules.rf.gd/fubekobavure.pdf
    • https://uploads.strikinglycdn.com/files/24376d6b-5b18-49e4-8c46-6a2d4bb1d8fd/how_to_set_military_time_on_armitron_pro_sport_watch.pdf
    • https://uploads.strikinglycdn.com/files/781e3508-46ec-4a75-abf4-b33ba0379921/gezepomeminix.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2d5.bin
1a8cdfb1a9284677ef33bd0031eeb1efacab06e367f8abf3a0cbe144073bd5bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2D5 5088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.