Malicious PDF — malware analysis report

Static analysis result for SHA-256 db902ede88ea5bb4…

MALICIOUS

PDF

65.4 KB Created: 2021-03-05 06:54:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4322ea7452f0f5796ae0276a85b0a040 SHA-1: 8e0ad68d1f3c48c6bbc310c8b773e3fbd46edfd8 SHA-256: db902ede88ea5bb4469cb0a9331e86f6d36affc74f316bef334ce5c03ebe51af
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that is flagged as suspicious and likely malicious by multiple detection engines. The document body, though heavily obfuscated, appears to contain keywords related to the URL, suggesting a phishing or social engineering lure. No scripts were extracted, but the presence of a suspicious URL and the ML classifier's output indicate a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8603

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=4.3+mercruiser+engine+oil+capacity
    • https://cdn-cms.f-static.net/uploads/4375197/normal_601da9325f63b.pdf
    • https://cdn-cms.f-static.net/uploads/4459029/normal_60131c10c47d5.pdf
    • http://bhd-management.space/192463240633dwfh.pdf
    • https://static.s123-cdn-static.com/uploads/4486206/normal_5feb3081b858e.pdf
    • https://cdn-cms.f-static.net/uploads/4490371/normal_6014598ab6698.pdf
    • http://alluniversity.fun/monsters_inc_boos_door_numberui3ft.pdf
    • https://cdn-cms.f-static.net/uploads/4368969/normal_603fa34faaa30.pdf
    • https://static.s123-cdn-static.com/uploads/4393035/normal_5fc89f2ddf99b.pdf
    • https://static.s123-cdn-static.com/uploads/4393916/normal_5ff69a06af5da.pdf
    • http://doxulim.iblogger.org/how_to_cite_a_movie_mla_example.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zowiseli.epizy.com/53866999622.pdf
    • http://losamipivoku.epizy.com/doraemon_episodes_in_telugu_videos.pdf
    • https://s3.amazonaws.com/tixedujegibex/99834185148.pdf
    • http://daruwenu.rf.gd/bundelkhand_university_jhansi_online_form.pdf
    • http://zobawukesilebaf.epizy.com/fosotirobup.pdf
    • http://paxovabaresubal.rf.gd/beautiful_small_baby_pictures.pdf
    • https://s3.amazonaws.com/dobesogum/aleister_crowley_poemas.pdf
    • http://pareruwawetis.rf.gd/64467763234.pdf
    • https://s3.amazonaws.com/tobobowu/marketing_information_system_definition_in_management.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e424.bin
be3320b4a45bffe6b2e86353f5f130d072a03431ef3cd373d88e10f036290058		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE424 5428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.