Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1f64a0f47bdf54b…

MALICIOUS

PDF

65.4 KB Created: 2021-02-25 15:01:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 74f5bf8130dd682d72b9f8e412474c86 SHA-1: 5fa457bd432f08f0d193aa8c5a63e1254a87bc42 SHA-256: f1f64a0f47bdf54b3f5c8264161a46201389fe229b26bd7276b0a7f5cd4027d1
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a suspicious domain, masquerading as information about performance reviews. This URL is likely intended to host a malicious payload or phishing content. The ML classifier and ClamAV detection strongly indicate malicious intent, consistent with a phishing or trojan delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9539

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=words+to+avoid+in+a+performance+review PDF link annotation
    • https://cdn.sqhk.co/kavejufa/bhbOkgj/tiled_map_editor_download.pdfIn PDF document text
    • https://cdn.sqhk.co/ketalidukepi/9jhM1hj/55062665786.pdfIn PDF document text
    • https://cdn.sqhk.co/sifalavuxozo/nafhgWE/jasabizakalukux.pdfIn PDF document text
    • http://komaxinatobofe.medianewsonline.com/funny_writing_prompts_for_5th_grade.pdfIn PDF document text
    • http://jugatilewe.22web.org/how_to_change_battery_toyota_corolla_2009.pdfIn PDF document text
    • http://suzamajotibe.mywebcommunity.org/how_to_find_ip_address_on_canon_mx490_printer.pdfIn PDF document text
    • http://tezibif.mygamesonline.org/possessive_nouns_quiz_grade_6.pdfIn PDF document text
    • http://rosutob.getenjoyment.net/watch_hunger_games_mockingjay_part_2_online_free.pdfIn PDF document text
    • http://dumubemajizukov.medianewsonline.com/jerafu.pdfIn PDF document text
    • http://icub.tech/eia_weekly_report_schedulemxtop.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/zobuwubedak/avivamento_no_pais_de_gales_livro.pdfIn PDF document text
    • http://pujumek.myartsonline.com/philosophy_of_punishment_book.pdfIn PDF document text
    • http://xolavozezimodan.onlinewebshop.net/sharp_calculator_el-1197pii_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/lonozote/braun_silk_epil_9_manual_english.pdfIn PDF document text
    • https://s3.amazonaws.com/bizamesuwepe/97094853985.pdfIn PDF document text
    • http://rukosivujuxu.atwebpages.com/how_to_change_the_drive_belt_on_my_husqvarna_riding_mower.pdfIn PDF document text
    • https://s3.amazonaws.com/kiwopusafize/xopaz.pdfIn PDF document text
    • http://nawopezor.rf.gd/band_song_ringtone.pdfIn PDF document text
    • http://viwukapatajomi.rf.gd/acknowledgement_sample_for_undergraduate_thesis.pdfIn PDF document text
    • https://s3.amazonaws.com/guxosa/roblox_black_adidas_t_shirt_template.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f5ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF5EC 5436 bytes
SHA-256: 92b75a30d9e4ed25f46ec568ab99d5cebb9698023326b2f869090fb743234219

Open this report in the interactive analyzer, or submit your own file for analysis.