Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7ab07bf7a565b2e…

MALICIOUS

PDF

55.8 KB Created: 2021-03-15 19:51:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 08afaf01651feb1749d69972568f7baa SHA-1: 4d19a364e2341843cdaeb6dfc2dbaf1b44723934 SHA-256: e7ab07bf7a565b2e65097c96231b8aa774e04b126134cb71e81875c00c5566cf
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is identified as malicious by ClamAV and an ML classifier, and heuristics indicate it's an image-only lure designed to trick users into clicking an external link. The embedded URL, https://crophysi.ru/award?keyword=abraham+maslow+theory+of+needs+pdf, is the primary indicator of this phishing or download attempt. No scripts were extracted, but the PDF structure itself suggests a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6222

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 55 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=abraham+maslow+theory+of+needs+pdf
    • http://balifruit.com/30456742330ehqf7.pdf
    • http://look-hotel.com/history_of_world_100_objectslpjow.pdf
    • http://fastdonwload.space/what_books_should_i_read_to_prepare_for_medical_school4rw9o.pdf
    • http://ledimpress.biz/64988594416quy44.pdf
    • http://xewopixomimam.22web.org/certificado_de_origen_en_ingles.pdf
    • http://beststudent.fun/nomevujuroxotolubebelitu9ff.pdf
    • http://bafekovarobuju.iblogger.org/58953298774.pdf
    • http://resimpub.com/kazujexurih80jt.pdf
    • http://guitar.su/456303247790gi2u.pdf
    • https://02bc4616-4eae-4b38-b2c9-0e654f754ee0.filesusr.com/ugd/069df5_1a93a23006a745a0b8a85227556751ed.pdf?index=true
    • https://s3.amazonaws.com/numegubowalonan/93610174684.pdf
    • https://uploads.strikinglycdn.com/files/578f3029-9874-4533-99b7-4693c77d3f62/bogidopoludemilimox.pdf
    • https://c84d532c-3b33-47d6-96aa-4134a1164eb1.filesusr.com/ugd/6d45f6_7c048be041214817a9f814bbe1015b2c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9a1f3af8-7944-43d5-a66f-0d741ad96fe4/61342918621.pdf
    • https://b86313a8-447b-404d-ae6d-bc69740d899e.filesusr.com/ugd/e54fc7_64188f230a8741d48b55db1e46c105be.pdf?index=true
    • http://molegonemuk.rf.gd/codeigniter_3_user_guide.pdf
    • https://f579be4a-c2ec-451d-94ee-532237c06880.filesusr.com/ugd/9f6a24_1213e1b7d9cb4515aa7f4dda29f858ef.pdf?index=true
    • https://54d25d35-1219-4e5f-97c3-905e72ea606f.filesusr.com/ugd/6d59ab_2e45a38fd1974ac6b27a1d70c96b7241.pdf?index=true
    • http://bojivudotafaf.epizy.com/nedovepu.pdf
    • https://uploads.strikinglycdn.com/files/df1c2402-9f00-4c92-a5fa-c366ae28c8ba/does_silence_of_the_lambs_say_hello_clarice.pdf
    • https://s3.amazonaws.com/gomakobez/poesia_completa_alejandra_pizarnik.pdf
    • https://s3.amazonaws.com/wumodukubaru/genesis_1_26-28_esv.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.