Malicious PDF — malware analysis report

Static analysis result for SHA-256 e63b3ffe0cb091f7…

MALICIOUS

PDF

54.5 KB Created: 2021-04-05 00:18:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: adb6aa6ea86abce9285314f630bdd51a SHA-1: c12ec3246b1349832a8e6876da938a675980933a SHA-256: e63b3ffe0cb091f768538e5d80613d685010526647ce349f9c91453f9b39deb4
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is identified as a phishing lure due to its structure, containing only an image and a clickable action. The embedded URL points to a suspicious domain, likely serving as the initial landing page for a phishing attack or to download a secondary payload. ClamAV and ML classifiers also flagged this file as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8304

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 54 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=change+management+process+in+project+management+pdf
    • https://jasefeneg.weebly.com/uploads/1/3/4/4/134489721/275332.pdf
    • https://static.s123-cdn-static.com/uploads/4467038/normal_5ff86572b499a.pdf
    • https://cdn-cms.f-static.net/uploads/4488323/normal_6021006dc5f09.pdf
    • https://cdn-cms.f-static.net/uploads/4481280/normal_6065a459cc3a4.pdf
    • https://tukuboxux.weebly.com/uploads/1/3/4/5/134510407/b5dec8b3c.pdf
    • https://cdn-cms.f-static.net/uploads/4412900/normal_601307afed0b0.pdf
    • https://cdn-cms.f-static.net/uploads/4413967/normal_605cb87173e88.pdf
    • https://xulomonixibeneg.weebly.com/uploads/1/3/1/4/131455416/4526363.pdf
    • http://mubojumef.iblogger.org/watovupezeten.pdf
    • https://cdn-cms.f-static.net/uploads/4474205/normal_6051c1ddcacab.pdf
    • https://cdn-cms.f-static.net/uploads/4378390/normal_605d9734d022d.pdf
    • https://cdn-cms.f-static.net/uploads/4403673/normal_600e54a77ed66.pdf
    • https://uploads.strikinglycdn.com/files/d77abe17-b9d1-4baf-a23f-76c9b5bef211/7853173500.pdf
    • http://xawuxona.epizy.com/uscg_auxiliary_form_7012.pdf
    • https://uploads.strikinglycdn.com/files/f83dcb67-f995-4a66-b7fc-df23706d022b/algorithms_in_c_robert_sedgewick_download.pdf
    • https://s3.amazonaws.com/ropuba/22267055209.pdf
    • http://dukutogesedu.epizy.com/call_of_duty_all_parts.pdf
    • http://lalexipitu.rf.gd/uc_browser_for_android_2.pdf
    • https://uploads.strikinglycdn.com/files/79480d2a-6b51-4833-9491-07e99be77734/what_restaurants_are_giving_free_food_for_veterans_on_veterans_day.pdf
    • https://uploads.strikinglycdn.com/files/6ade1253-2a13-4328-b2df-1ce82d157323/wokatowugifin.pdf
    • http://xigufogadenake.epizy.com/loguxajegadixefo.pdf
    • https://uploads.strikinglycdn.com/files/cdc05ce9-9c45-423f-abe4-e6f37ee8134c/26469192564.pdf
    • https://s3.amazonaws.com/bodajaku/71996895033.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.