Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3e77a28c22f417b…

MALICIOUS

PDF

48.4 KB Created: 2021-05-02 16:09:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9da6739cd4a59955a7da78a667bd31a8 SHA-1: 0adeff5b13dec896cf382ec30da07e49b3dbc8b8 SHA-256: f3e77a28c22f417b497b45c5d6973cc851d49d2e3aca00d1f87f38527093ada8
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is identified as malicious by ML classifiers and ClamAV, and exhibits characteristics of a phishing lure due to its image-heavy nature and embedded clickable URI. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create PDF lures. The primary external URI, https://lozipotod.ru/strik, is likely the destination for the phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8020

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 48 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/strik?utm_term=fisher+price+sweet+surroundings+swing+power+cord
    • http://xogovegakim.22web.org/gelezigox.pdf
    • https://cdn.sqhk.co/fikubife/EicRiaq/kb2485_backhoe_for_sale.pdf
    • http://remoliwagofaju.mywebcommunity.org/77611074327.pdf
    • http://bukezisafa.iblogger.org/taking_action_a_handbook_for_rti_at_work.pdf
    • http://wipalogazagak.22web.org/80321992543.pdf
    • https://cdn.sqhk.co/gedofovel/hoj7Zhd/bizeladojefovuwa.pdf
    • https://koredude.weebly.com/uploads/1/3/1/4/131406285/texiwaxitapipotiza.pdf
    • http://jajokojunewi.mypressonline.com/california_dreaming_fingerstyle_tab.pdf
    • https://cdn.sqhk.co/goberirud/gcjgv1J/xomejawixowawefiponavowo.pdf
    • https://zomijozefabeten.weebly.com/uploads/1/3/4/6/134636393/f18dfffad17ae.pdf
    • http://vurujupafowutox.mypressonline.com/equity_alarm_clock_model_30022.pdf
    • https://soberonapi.weebly.com/uploads/1/3/2/6/132681790/e5e503d0.pdf
    • http://dagomakiluje.iblogger.org/65094518388.pdf
    • https://telonilinip.weebly.com/uploads/1/3/6/0/136050587/komuleniminerukimox.pdf
    • https://cdn.sqhk.co/towinomer/e3jejiu/saladin_movie_cast.pdf
    • http://jikusofare.mywebcommunity.org/kenneth_cole_watch.pdf
    • https://uploads.strikinglycdn.com/files/1aafdc1e-9465-438e-b826-7a02301e40fc/primordial_greek_mythology_playing_cards.pdf
    • http://ratosore.epizy.com/file_sang_hnh_nh.pdf
    • http://degevojorak.myartsonline.com/22401707464.pdf
    • http://beninoduvewer.epizy.com/homeland_security_illegal_immigration_reporting.pdf
    • http://ketaxesam.epizy.com/93153010396.pdf
    • https://uploads.strikinglycdn.com/files/1bfac949-1504-4958-898d-f82a573c4134/97439123662.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.