PDF malware analysis — malicious · e2c9d8f478941cdf

MALICIOUS

PDF

173.3 KB Created: 2021-06-03 13:07:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 97cfffeee301407b7fd2a91be655936c SHA-1: 4ed77c17003c8986891783d2ad42d398d409705b SHA-256: e2c9d8f478941cdf16e116a671aaa3d5718ac362f8e4ab414ebcb67369278ab3

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URL that likely leads to a phishing site or malware download. The document body, though heavily obfuscated, appears to be a lure related to educational materials, suggesting a targeted phishing campaign.

Machine Learning

Nyx PDF Classifier malicious score 0.8879

Heuristics 3

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://synerhu.ru/pbw?utm_term=9.s%25C4%25B1n%25C4%25B1f+edebiyat+soru+bankas%25C4%25B1+indir+2020
- https://static.s123-cdn-static.com/uploads/4388424/normal_5ff85bffe6c8f.pdf
- https://static.s123-cdn-static.com/uploads/4444096/normal_5ff7718221f97.pdf
- https://cdn-cms.f-static.net/uploads/4470681/normal_604f162a384b6.pdf
- https://static.s123-cdn-static.com/uploads/4453732/normal_5fcc2a0de4ba8.pdf
- https://cdn-cms.f-static.net/uploads/4409421/normal_60308efb764b3.pdf
- https://vedakevuvapi.weebly.com/uploads/1/3/4/0/134013486/6896248.pdf
- https://cdn-cms.f-static.net/uploads/4471946/normal_604111dc0d390.pdf
- https://rujurujubawupof.weebly.com/uploads/1/3/0/9/130969172/7108517.pdf
- https://zexexidiwe.weebly.com/uploads/1/3/5/3/135330220/2466732.pdf
- https://static.s123-cdn-static.com/uploads/4443814/normal_5fdf0eebe1de9.pdf
- https://static.s123-cdn-static.com/uploads/4372723/normal_5fe29333f268e.pdf
- https://setojeduvesile.weebly.com/uploads/1/3/4/5/134587971/5117258.pdf
- https://static.s123-cdn-static.com/uploads/4425229/normal_5ff651d640690.pdf
- https://static.s123-cdn-static.com/uploads/4365998/normal_5fccaa3c5069f.pdf
- https://kesegupopu.weebly.com/uploads/1/3/4/1/134131766/vavobopom.pdf
- https://gefipozaxafuni.weebly.com/uploads/1/3/5/3/135312829/wiwowiwed.pdf
- https://static.s123-cdn-static.com/uploads/4379030/normal_5fc8adee5d6e4.pdf
- https://cdn-cms.f-static.net/uploads/4454301/normal_606a549f71eda.pdf
- http://fontawesome.iohttp://fontawesome.io/license/
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/6264221b-18c3-413c-a5aa-2597354cfd58/how_to_start_an_amana_washing_machine.pdf
- https://uploads.strikinglycdn.com/files/7e1b4556-8c7b-477c-9b60-51e5a9c45f4c/22716581304.pdf
- https://uploads.strikinglycdn.com/files/dea18b7d-6dfd-4a65-80d6-ec2b36b4ec48/directv_remote_control_codes_for_vizio_tv.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0002711a.bin` `b793c87d3397961c0c881c615b0d7caad3bd6a0a2deb69446b72a8053b09485a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2711A	1540 bytes
`font_01_sfnt_off000278fe.bin` `978573627412816cebbf23a8e0c20c4a5ac44138eec304ce96d5c8939cd78358`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x278FE	5576 bytes
`font_02_sfnt_off00028c08.bin` `cb858900cf8b9727d6974e7251dcaae8d85658b1f97da36728c09ea6dbd87815`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x28C08	12808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.