Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6be3e33793161df…

MALICIOUS

PDF

76.3 KB Created: 2021-03-20 23:51:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5bbb7b1ea6d5a309582e181485aa4d55 SHA-1: dc3ca0e07452b5fd64b79e189ba56fd6e5e2518e SHA-256: f6be3e33793161df1913eb3779483d72dacc324189670c8e7ab2c4d9b60345a9
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URI pointing to a suspicious URL. ClamAV detected this file as 'Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0', indicating a phishing and trojan payload. The document body, though heavily obfuscated, suggests a lure related to 'Libro hind bhagavad gita pdf'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8022

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=libro+hind%25C3%25BA+bhagavad+gita+pdf
    • https://cdn.sqhk.co/dexujagafir/jh66b3w/tijaxeredevimotoxajog.pdf
    • http://zhigina.ru/6845792322jk0r3.pdf
    • http://kersita.space/88298341504j9zjn.pdf
    • https://cdn.sqhk.co/mugegiduveb/j7toyiG/renajusenaletetug.pdf
    • http://giveaway2020.info/xemajalenogoleliwqzcb.pdf
    • http://xofozupazo.22web.org/south_carolina_driving_test_book.pdf
    • https://cdn.sqhk.co/pananumujo/JhirNgd/telegram_x_windows_app.pdf
    • https://cdn.sqhk.co/nazutupim/dnqMeib/41538450574.pdf
    • https://cdn.sqhk.co/pobijejok/hhjgdvl/varaxasigipofemagafopo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kilisajafe.rf.gd/medoraliwa.pdf
    • https://uploads.strikinglycdn.com/files/22b2487f-56a0-4171-86f5-f83c98d32156/xedawimisaj.pdf
    • http://xitemefunugege.epizy.com/69446001318.pdf
    • http://nemebikox.epizy.com/bein_sports_tv_guide_rugby.pdf
    • http://wumevejuraluxe.rf.gd/vojugetidej.pdf
    • https://uploads.strikinglycdn.com/files/aa666d08-0ead-422b-8c60-faac8cca5bca/data_analysis_using_software_packages_microsoft_excel_and_spss.pdf
    • http://kowefejarozop.epizy.com/baba_balak_nath_pic_hd.pdf
    • https://uploads.strikinglycdn.com/files/8b62d3b5-87f4-4526-ae16-5b7e64cf87b6/how_thick_should_a_gravel_path_be.pdf
    • https://uploads.strikinglycdn.com/files/04a3af8b-3e40-4276-9269-c8a2fc1fa9c5/the_noble_collection_nn1910_harry_potter_illuminating_wand.pdf
    • http://jumaguw.epizy.com/hp_8300_elite_sff_i7_specs.pdf
    • http://gavojomizam.epizy.com/wakurarababuvixiromu.pdf
    • https://s3.amazonaws.com/xeruxaxer/muvuwamilig.pdf
    • https://s3.amazonaws.com/wegemebufojafak/hillsborough_county_school_2020_spring_break.pdf
    • https://uploads.strikinglycdn.com/files/411604b0-4dd5-4712-b518-305b7d7a1424/technical_report_writing_today_9th_edition_free_download.pdf
    • https://s3.amazonaws.com/belopudevuzuza/wemexafijaposedunanaz.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011ee7.bin
149f1303b0b84d771b6a4f2fcb8d59560bc1e8261bc9c39741e1a361b7ee1e1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11EE7 5352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.