Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4f4ed0911e89eb4…

MALICIOUS

PDF

66.6 KB Created: 2021-04-02 03:59:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3bd309388d0605560ea35664b9beb4b SHA-1: 2b768abbc34d3225fa0446cd52064fcd07d58d3e SHA-256: e4f4ed0911e89eb4d52b8e2d4601f19671ed507376325fdad5967d35325f0d83
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for an external URI pointing to a suspicious domain, which is also listed as an IOC. The document body, though heavily obfuscated, appears to be a lure related to search results. The presence of embedded URLs and the ML classifier's high confidence score indicate malicious intent, likely to redirect the user to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9676

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/aws?utm_term=cuisinart+electric+pressure+cooker+directions
    • https://cdn-cms.f-static.net/uploads/4481834/normal_5fdc1f76b5011.pdf
    • http://lnstagram-helping.live/autodesk_3ds_max_2010_crack_freekl9ab.pdf
    • http://regsenatvumen.website/xulifasirapes0ckl8.pdf
    • http://gitikirazidapi.medianewsonline.com/43496427845.pdf
    • http://reduslimitaly-official.site/91917691388h6b7m.pdf
    • http://dilawiputonu.mypressonline.com/80313801956.pdf
    • https://cdn-cms.f-static.net/uploads/4482631/normal_605942ff003dc.pdf
    • http://spain50off.info/88428707765kk58v.pdf
    • https://cdn-cms.f-static.net/uploads/4481053/normal_60385cc289a48.pdf
    • http://tijudozi.scienceontheweb.net/corsair_commander_pro_setup.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/bc571811-ea9e-485f-8662-98e8b1de28c5/dedelojaz.pdf
    • https://4253c66a-660d-4c83-b31d-f715833d547b.filesusr.com/ugd/d9e9a0_07845b59626f4c6d8f109c03369bec0d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bc7bf65f-6f2f-441e-9351-dd4007aafdb6/the_handmaids_tale_by_margaret_atwood_sparknotes.pdf
    • http://tivekanudoz.rf.gd/spelling_worksheets_for_2nd_grade.pdf
    • https://uploads.strikinglycdn.com/files/0ed4b907-4ac2-4692-9832-724a08a853a4/48752082599.pdf
    • https://7ed754b6-a209-4558-9281-0032c7ee8ade.filesusr.com/ugd/4329d7_6edfa82a727f4126bb1b12ab90735245.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dafe99d2-cc27-4026-b649-463c8cb24286/30401124355.pdf
    • http://rukudukewa.epizy.com/kezanoxovo.pdf
    • https://4f65501f-cdae-4966-b9db-49b15ad9d196.filesusr.com/ugd/52b593_66293a4252ec4e1e97372607ac813369.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2af3dce4-d14f-4257-85d7-dc932aaabb0f/wutenegopivavosetaluzuxa.pdf
    • http://gamelaluwer.myartsonline.com/autocad_import_contains_no_objects.pdf
    • https://3228dc58-b2c1-4aed-ac20-03fc52793822.filesusr.com/ugd/43afbb_d654edcc3bfc4266ae020e674dca3442.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f562.bin
cb76c27dca9f3c6f76707d80eb6ac6d12d1fd85f1d09c775611050bc0e381e36		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF562 5036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.