Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6152fa5e2324950…

MALICIOUS

PDF

94.9 KB Created: 2021-04-23 12:40:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: a2313e419bc69ca49ede503df8ee9a2c SHA-1: 57a97dd88eecef37e7294f7a723cd31b1338d547 SHA-256: f6152fa5e232495075ab3227fb4ee96fc14d9b5d35a3487f8bf99330f523eea9
64 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, which is a strong indicator of phishing or malware distribution. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports this assessment. Although no scripts were explicitly extracted, the presence of embedded URLs and the nature of the detection suggest the document is designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier clean score 0.1471

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=grohe+bridgeford+kitchen+faucet+hose+replacement PDF link annotation
    • http://astrology-personal.online/givipiwaroc51pn.pdfIn PDF document text
    • http://s-tochka.ru/sawawu0nrz5.pdfIn PDF document text
    • http://bapadama.medianewsonline.com/xodaludog.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374013/normal_600e45e67b74d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4420592/normal_6015b674d72cc.pdfIn PDF document text
    • http://nelilovodik.scienceontheweb.net/dadiwazabagosewawanex.pdfIn PDF document text
    • http://vumajuzatijerak.getenjoyment.net/administracion_financiera_2_libro.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4485927/normal_6068a1b529e91.pdfIn PDF document text
    • http://216tilford.com/disuvanewojorob4465q.pdfIn PDF document text
    • http://yazansoft.com/66049895695z79uo.pdfIn PDF document text
    • http://checkmycredit.info/wupekajepatusux54vf6.pdfIn PDF document text
    • http://setokanekema.mygamesonline.org/bowosigomuriporapofobewes.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/de6a0a03-4a36-48f8-8e3c-b7f8c470b6b2/91131282047.pdfIn PDF document text
    • https://s3.amazonaws.com/bisute/14692660606.pdfIn PDF document text
    • https://s3.amazonaws.com/jafujasiwetid/javascript_ajax_file.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc9f74a3-c1eb-4f71-94ad-a8d641d0b5c4/brand_identity_mockup_psd_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/977e151c-6ec7-47da-b6fe-ecf5139febd0/lawn_boy_mower_parts_list.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad3ecc75-6889-4ec4-ba94-0c9ff1ba07b6/how_to_drain_a_us_craftsman_water_heater.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e2f5c41c-e8ab-48c4-b51d-ca9f87bfc3e1/62656394870.pdfIn PDF document text
    • https://s3.amazonaws.com/zemunomipazikez/how_to_unlock_tracfone_tcl.pdfIn PDF document text
    • https://s3.amazonaws.com/dafumuxitupav/what_are_the_basic_elements_of_graphic_design.pdfIn PDF document text
    • https://s3.amazonaws.com/vobuturinivi/55706208944.pdfIn PDF document text
    • https://s3.amazonaws.com/megodipewukitoj/resumen_el_principe_de_maquiavelo.pdfIn PDF document text
    • https://s3.amazonaws.com/pisedij/the_fall_of_jake_paul_song_clean.pdfIn PDF document text
    • https://s3.amazonaws.com/sowewazulejewi/43387821352.pdfIn PDF document text
    • https://s3.amazonaws.com/topipovikapari/bizirigilabiputexuturopip.pdfIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001102d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1102D 6744 bytes
SHA-256: ffeb89eaad713c9717385028f79c9757067aafb2c2382ea8cbab0e6efe35a425
font_01_sfnt_off00012115.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12115 5804 bytes
SHA-256: 1f606991e9a18787ae8810f8f90d119e9380fe53cb1ecc8218fbc2bdb9146bd6
font_02_sfnt_off000134aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x134AA 6900 bytes
SHA-256: b988d23272d1dda345d9dd8cb33a74a3029ecb2fd0b37bbfccce5d2fe1d1b057
font_03_sfnt_off00014c2f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14C2F 13920 bytes
SHA-256: 930347768c9bb456efc8dfef604ce39c33622481963a5dda22a587d9299881e8

Open this report in the interactive analyzer, or submit your own file for analysis.