Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecc0aaebe23e92cb…

MALICIOUS

PDF

61.3 KB Created: 2021-03-10 22:45:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b9743a478fa411ca51aacc01b14758d SHA-1: df1bd3b15c2c48ea871725871d2f03fd772284ce SHA-256: ecc0aaebe23e92cbbefaa7902f605adeed70e1099e01e1c3249d277e01b7b43e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, and contains an embedded URI pointing to a suspicious domain. The document body, though heavily obfuscated, suggests a lure related to a 'Vadodara city map pdf'. The presence of numerous external URLs indicates an attempt to redirect the user to a malicious site, likely for payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9299

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/award?keyword=vadodara+city+map+pdf
    • https://cdn.sqhk.co/wuladupuzo/jNiaID3/netflix_android_box_hd.pdf
    • https://cdn.sqhk.co/lexaxemiji/hiIyQey/bivute.pdf
    • http://italysummer.space/world_conqueror_3_hack_full_apk2ncrd.pdf
    • https://cdn.sqhk.co/lewoxiguj/ghjhcwH/7114362182.pdf
    • http://kigurumi.org/1606941029vytgq.pdf
    • http://stikc.xyz/origins_trial_of_the_gods6qbxl.pdf
    • https://cdn.sqhk.co/tenalewi/Qhhqyjf/ranemima.pdf
    • https://cdn.sqhk.co/zururodi/geRhcjf/pop_music_stars_of_the_80_s.pdf
    • https://cdn.sqhk.co/dasofuduveje/TI4rgf1/xatepimipavereja.pdf
    • https://cdn.sqhk.co/jogeguzotire/jehdifa/53708598869.pdf
    • http://sorujod.22web.org/einstein_bagel_nutrition_information.pdf
    • https://cdn-cms.f-static.net/uploads/4481157/normal_5fd9758d57a4e.pdf
    • http://budonap.iblogger.org/lemikome.pdf
    • http://esplus.pro/aruba_clearpass_trialwmxx7.pdf
    • http://zugunef.22web.org/janatics_pneumatic_cylinder_catalogue.pdf
    • http://vuvefezod.iblogger.org/marketplace_mobile_app_template.pdf
    • http://f13x.xyz/never_gone_2016s8i7q.pdf
    • http://zilijakal.iblogger.org/punenisu.pdf
    • https://static.s123-cdn-static.com/uploads/4406166/normal_5ffe9ba898bf3.pdf
    • https://cdn.sqhk.co/tuwagezo/jduBKhd/towovejemiwemubufamonoza.pdf
    • http://mazoxobiziwikut.iblogger.org/dstv_203_guide_today.pdf
    • https://cdn.sqhk.co/kululojilo/Gjekp6B/sexadediz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://virirunabeso.rf.gd/bujisuzifowo.pdf
    • http://tetaxejil.rf.gd/caballo_de_troya_saga_completa_descargar_gratis.pdf
    • http://gobonelore.epizy.com/53136294645.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e825.bin
65e56f9bacf535c95bc50cebd667c369368770549ff2b291b8769d120ec7aaac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE825 5160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.