Malicious PDF — malware analysis report

Static analysis result for SHA-256 dba83a9a311f08b6…

MALICIOUS

PDF

71.3 KB Created: 2021-05-18 09:07:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 948c10a79156be3023cceeaa1273b8d7 SHA-1: 74ae5a5288c75dba0ee147af83f7af0714c89a63 SHA-256: dba83a9a311f08b698db5f8aa45f96f3b0191f58a42cccb6b63c61f339d9a560
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, specifically pointing to PDF files hosted on various domains, suggests a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF format and embedded URLs are commonly used for social engineering attacks like spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8225

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://beytarimcilik.com/admin/editor_resim/file/fuwogatubamumutinijelu.pdf
    • https://agentcctv.com/userfiles/file/besitovifulujen.pdf
    • https://spectrumohio.com/wp-content/plugins/super-forms/uploads/php/files/011f8254d66c395e4bce063547e3bb27/53232618034.pdf
    • http://www.loockuniformes.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/1609e277073f21---84391788545.pdf
    • http://alexhoffordphotography.com/temp/files/file/vazub.pdf
    • http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16094539fb9046---fegetuwuk.pdf
    • http://www.auditsi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607212f59c050---rujon.pdf
    • http://www.festivalmarrakech.info/wp-content/plugins/formcraft/file-upload/server/content/files/16074761e0aabc---dunidonuri.pdf
    • https://emergent-partners.com/wp-content/plugins/formcraft/file-upload/server/content/files/16090aed2655b9---pugevixobulagekodolizi.pdf
    • http://www.telsercom.com/wp-content/plugins/formcraft/file-upload/server/content/files/16073d5b16244d---nofomunavafeved.pdf
    • https://theshairpodcast.com/wp-content/plugins/super-forms/uploads/php/files/79c888bb6c7b20f04af7a45878365d25/96158279819.pdf
    • https://lakeshoresmilesdentistry.com/wp-content/plugins/super-forms/uploads/php/files/0h012ma8hul2g0hjljv0em4292/5292950406.pdf
    • http://www.elsecretodelolivo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160796fa69299f---fevivibakafifizupi.pdf
    • https://nailseasupportgroup.com/wp-content/plugins/super-forms/uploads/php/files/c4257aaaa7e351228d4dee256644635c/juloru.pdf
    • https://eclipsetheaters.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a412907287---82441839845.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/zMnd8XtcwSM/uplcv?utm_term=how+do+you+spin+the+lucky+wheel+in+gta+online
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8c6.bin
58b58db8ca8f8518233ec4a089c82912c7f50a1413dff91e9cbab963e0b89602		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8C6 5456 bytes
font_01_sfnt_off0000fb71.bin
4bdb9c7e0823f9311326122f4e88cdb41c0653865b08980700c31f98166b3c0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB71 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.