Malicious PDF — malware analysis report

Static analysis result for SHA-256 e67f20d8b1509776…

MALICIOUS

PDF

69.5 KB Created: 2021-03-24 20:46:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 83d54cfd7db3b5841b153012db594e90 SHA-1: 9f903ccb271ec8625656895a9596e5f47147c5de SHA-256: e67f20d8b1509776e8a731dd4a4e30dda2d71c0975523e1def63c1bd8448515b
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a specific signature indicating it is a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to a 'motivation test'. No scripts were extracted, but the presence of an external URI and the ClamAV detection strongly suggest a malicious intent to redirect the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4770

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=achievement+motivation+test+pdf
    • https://cdn.sqhk.co/dedogupazib/okghbjh/11914343801.pdf
    • http://bekopomulasebi.getenjoyment.net/palo_mayombe_books.pdf
    • https://cdn.sqhk.co/kuwusemob/kijchgo/visolonos.pdf
    • http://valuburikodajad.medianewsonline.com/is_rinnai_a_good_brand.pdf
    • http://lesidiwajenowil.myartsonline.com/38713929611.pdf
    • https://s3.amazonaws.com/dosalapasenow/29591141642.pdf
    • https://uploads.strikinglycdn.com/files/09eaa674-38a0-4e42-a93b-708b0f83e3f7/the_giver_chapter_4_setting.pdf
    • https://s3.amazonaws.com/guvovigo/verbe_etre_en_anglais_forme_negative_contracte.pdf
    • https://s3.amazonaws.com/tutapaxi/careless_whisper_hd_video_song.pdf
    • https://s3.amazonaws.com/jobavo/wallpaper_engine_android_anime.pdf
    • http://ralirajuz.atwebpages.com/15157886625.pdf
    • https://s3.amazonaws.com/gixawetopoli/63497266036.pdf
    • https://s3.amazonaws.com/buwosevax/bts_answer_billboard_200.pdf
    • https://uploads.strikinglycdn.com/files/a64c8e49-54cb-4c19-99e4-7735b2381b38/tcp_ip_ports_list.pdf
    • https://uploads.strikinglycdn.com/files/13b1bbe8-4a7d-4a3d-9cfd-47ad489879da/ggg_ruger_mini_14_side_scope_mount.pdf
    • http://masusoxowep.onlinewebshop.net/cash_flow_statement_explanation.pdf
    • https://s3.amazonaws.com/purixifusipelid/the_thyroid_diet_book_free.pdf
    • https://s3.amazonaws.com/lewuli/wuzodesata.pdf
    • https://uploads.strikinglycdn.com/files/eba80e6e-5c89-483c-b67c-8588531562ee/90281450776.pdf
    • https://s3.amazonaws.com/wutisigila/ophthalmology_books_free_s.pdf
    • https://s3.amazonaws.com/rizezobabub/blood_of_elves_audiobook_free.pdf
    • https://s3.amazonaws.com/tuxutedi/53246887005.pdf
    • https://s3.amazonaws.com/savifin/77216886571.pdf
    • https://s3.amazonaws.com/dusubonifu/jolidop.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.