Malicious PDF — malware analysis report

Static analysis result for SHA-256 de59e3f714970b1d…

MALICIOUS

PDF

656.5 KB Created: 2021-04-09 18:49:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b316c7ae2fa270066f641c0aa093f855 SHA-1: 2d388718808fdd2908b8c0999826c68a52b399c5 SHA-256: de59e3f714970b1d053465fc69fb092f10666aafe88277deff1f1aec725bea90
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a 'Pdf.Phishing.Trojan' signature. The document body contains text related to a game crack, and an embedded URI points to a URL that also mentions a game crack. This suggests a phishing or social engineering attack aiming to trick users into downloading malware.

Machine Learning

  • Nyx PDF Classifier clean score 0.0131

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.natsihwa.org.au/sites/default/files/webform/17947704001.pdf
    • https://www.telluridescience.org/sites/default/files/tstc-applications/pagasumoxozodaxatukaliwus.pdf
    • http://www.muttypawsacademy.com/sites/default/files/webform/vaccines/65827293628.pdf
    • http://portal-mysigma.com/system/files/student-proof/41429692510.pdf
    • https://www.woonsocketri.org/system/temporary/webform/kebadewanizokodijixupid.pdf
    • https://www.cdcplumbing.com/sites/default/files/webform/contact-us/65589142167.pdf
    • https://extranet.blanchisserie-toulousaine-de-sante.com/sites/extranet.blanchisserie-toulousaine-de-sante.com/files/documents/justificatifs/6659556688.pdf
    • https://www.cdcplumbing.com/sites/default/files/webform/contact-us/sawifujemenolezaf.pdf
    • http://cicatsalud.com/html/sites/default/files/webform/65000750087.pdf
    • https://ambrose.edu/sites/default/files/webform/gewematumupam.pdf
    • https://www.uts.cw/sites/default/files/webform/tidenopuzi.pdf
    • https://www.telluridescience.org/sites/default/files/tstc-applications/30232074114.pdf
    • http://www.pacificsportfraservalley.com/sites/default/files/webform/90877516301.pdf
    • http://www.pacificsportfraservalley.com/sites/default/files/webform/banofamuwidobekoke.pdf
    • http://www.typoland.com/http://www.typoland.com/designers/Lukasz_Dziedzic/Copyright
    • http://www.typoland.com/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.thdl.org/http://www.thdl.org/Tibetan
    • http://www.daltonmaag.com/
    • https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=mass+effect+3+invalid+cerberus+code+crack
    • https://www.ice.cam.ac.uk/sites/www.ice.cam.ac.uk/files/webform/tivajojisepizoni.pdf
    • https://campusrec.princeton.edu/system/files/webform/popikinof.pdf
    • https://thesanfordschool.asu.edu/sites/default/files/webform/43157208480.pdf
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/copyleft/gpl.htmlTibetan
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005e3b2.bin
0837e9e137591910f86fec8b3b744f31fa5f8b55fc2c13fe69a1211abe3c3b9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E3B2 8476 bytes
font_01_sfnt_off0005fa41.bin
34f266d1c0240eca0998569004a7c4631f5135f314d718484a5c034125e133af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FA41 187048 bytes
font_02_sfnt_off0008202a.bin
50bd8db5ff9a0f03ea6ac0366ab4ff273dceb6ff0c6101ac0faff1fd52ccc92d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8202A 6168 bytes
font_03_sfnt_off00082fcc.bin
c5f5400711dd571447bfb4c46a3a3c96124fe35261b8fb6187e32123187fc70e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82FCC 5332 bytes
font_04_sfnt_off000841fb.bin
e1e5d19d16db50c630cb1365578f6dd9718eeff742a8a4519d283816eff0df5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x841FB 8904 bytes
font_05_sfnt_off000853a7.bin
021cd3d5487286a76925076ef9fd923c49bc12cd94a83a5d8c4f98522291720e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x853A7 134784 bytes
font_06_sfnt_off0009cd97.bin
056fb978cf6467ec5662b405f95dabcf3cf8512fc4c3bcd1b4b9572e7e693117		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9CD97 15360 bytes
font_07_sfnt_off000a0047.bin
177d9830221da7795a44171d236b7f77e8718e557d4a8d088c566b9758a5c80c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0047 24536 bytes
font_08_sfnt_off000a2f3f.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2F3F 4324 bytes
font_09_sfnt_off000a3cfb.bin
5095ccdfdd328c3f25b1766e9c65bca58fa839170fcb9f3db3c20e130d955aff		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3CFB 1736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.