Malicious PDF — malware analysis report

Static analysis result for SHA-256 e682b1b5bc9ac351…

MALICIOUS

PDF

66.6 KB Created: 2021-03-30 17:20:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6103cff3e0d762c4c51d38e2947c37f4 SHA-1: b631de87e9ed401b0f51574de7773589d5ce45d4 SHA-256: e682b1b5bc9ac35168c7f5e4af1022021b3fb88a32c872b9e87822d0ff985241
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains an embedded URL pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The document body, though heavily obfuscated, suggests a lure related to an 'English grammar workbook'. The presence of an external URI heuristic further supports the malicious intent of directing users to a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7994

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/aws?utm_term=english+grammar+workbook+for+dummies+with+online+practice
    • http://getyourcredit.info/corsair_k95_rgb_platinum_xt_mx_brownh19e3.pdf
    • https://cdn.sqhk.co/xadopazo/31hfbhf/gusavejari.pdf
    • http://martakkord.ru/xotefakulol5zta7.pdf
    • http://instgramcopyrightdispute.com/gisepinawinenedagfpzl.pdf
    • http://sosiwawivijomo.scienceontheweb.net/pukupazipel.pdf
    • https://cdn.sqhk.co/wepurodapike/igl3Cjf/68629845741.pdf
    • http://cmb-societe.com/how_to_use_bns_buddyseihe.pdf
    • http://jonebukusopovet.mygamesonline.org/waltzing_matilda_piano_sheet_music_free.pdf
    • http://trydouche.xyz/self_reliance_ralph_waldo_emerson_audiobooksvhsy.pdf
    • http://komaxinatobofe.medianewsonline.com/dibet.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/fd105cb9-286b-4ed2-9390-89f312da945e/unitypoint_express_clinic_west_des_moines.pdf
    • https://uploads.strikinglycdn.com/files/31a26e9a-fd1f-4772-8593-d2a8630e3da8/febixamisepogilege.pdf
    • https://uploads.strikinglycdn.com/files/ee81248f-4def-40a3-b4b1-fd151e015b86/gomevifedawinef.pdf
    • https://uploads.strikinglycdn.com/files/d5a586fc-4392-4400-a6e5-45acf900abe2/msi_h81m_p33_manual.pdf
    • https://uploads.strikinglycdn.com/files/6eaaa28d-be17-45b2-8001-bbd6deadb731/cummins_diesel_engine_diagnostic_software.pdf
    • https://uploads.strikinglycdn.com/files/393b2f79-d60c-4444-a522-e1362a528fd9/learn_korean_language_for_free.pdf
    • https://uploads.strikinglycdn.com/files/cf9fbe12-4266-4351-9d57-84a7a688fcd3/renijaluke.pdf
    • http://nebojemesiwi.atwebpages.com/fuzozajegiga.pdf
    • https://uploads.strikinglycdn.com/files/038ef112-cc11-4cef-ab76-5384b7d197fc/suwetuzazasaxopalenok.pdf
    • https://uploads.strikinglycdn.com/files/7cc8f27d-d1e6-4d6e-b30e-8c6fe21342b6/best_universities_to_study_ethical_hacking.pdf
    • https://uploads.strikinglycdn.com/files/039245a5-37c9-44cf-9d99-79e2ef7f8625/remington_700_xcr_tactical_223_for_sale.pdf
    • https://uploads.strikinglycdn.com/files/e1e76874-a7b9-4a9f-b644-856be8b4faff/nezeluwarojuxarovax.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f228.bin
ce2c871fcfdde32474673f4a2cec23939a2c703a1e9c61d252ca2b07c4ebb8d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF228 5704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.