Malicious PDF — malware analysis report

Static analysis result for SHA-256 e69767ca431c562e…

MALICIOUS

PDF

64.0 KB Created: 2021-02-27 14:31:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8d5a1d3f38b13e0260b9aa1bae842fa3 SHA-1: c0f894e090c9834293df16b38b8314b942543268 SHA-256: e69767ca431c562e4fa21e63edc3477f445f6f50a95f66e0f0612cf3abad6fde
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The document body, though heavily obfuscated, contains text related to claiming professional development units, and an external URI pointing to 'crophysi.ru' was extracted. This suggests a phishing or credential harvesting attempt, potentially leading to a malware download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9946

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=how+to+claim+pmi+pdus
    • https://cdn-cms.f-static.net/uploads/4465545/normal_6014c5b905643.pdf
    • https://static.s123-cdn-static.com/uploads/4365624/normal_5fe49e2d75071.pdf
    • https://cdn.sqhk.co/kososojog/DDhehQL/20025484144.pdf
    • https://cdn-cms.f-static.net/uploads/4375083/normal_5fdc59d796b8e.pdf
    • https://cdn-cms.f-static.net/uploads/4383695/normal_5fd153a92558a.pdf
    • https://cdn-cms.f-static.net/uploads/4454561/normal_6039ae6a375ec.pdf
    • https://cdn.sqhk.co/nezazexador/hYjcieu/78044900733.pdf
    • https://cdn-cms.f-static.net/uploads/4393204/normal_60365a0bc1fca.pdf
    • https://static.s123-cdn-static.com/uploads/4392649/normal_5fc990c38b3f6.pdf
    • https://cdn.sqhk.co/genopeno/PheVkhb/vabaxovimi.pdf
    • https://static.s123-cdn-static.com/uploads/4383567/normal_5fe5636253f9c.pdf
    • https://cdn-cms.f-static.net/uploads/4384308/normal_5fda0efd45c7c.pdf
    • https://cdn.sqhk.co/libewepigux/jjhiaLn/h_and_r_block_tax_course.pdf
    • https://static.s123-cdn-static.com/uploads/4444885/normal_6006bc5b59c25.pdf
    • https://cdn-cms.f-static.net/uploads/4374537/normal_602960551df1c.pdf
    • https://static.s123-cdn-static.com/uploads/4462038/normal_5ff54726aeb30.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/pevarijidasalop/bexeluxugumov.pdf
    • https://s3.amazonaws.com/mojivikapeti/ejemplos_de_monografas_para_nios_de_cuarto_grado_de_primaria.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea81.bin
15743348968654ad6b0369c3e4380cf2185102d86b86b92e3378000a1bfb85c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA81 5176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.