Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa431147a1b62e97…

MALICIOUS

PDF

67.9 KB Created: 2021-05-14 17:45:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1ef66b05753c9d602cca556bbedf8833 SHA-1: 2826df074c46cab5248bdf49c64f3eca10a07bfe SHA-256: fa431147a1b62e97428e6ff52b206dc9a9b6c7043104d120c396da27b9c0e584
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URLs suggest a phishing or social engineering lure, likely attempting to trick users into downloading further malicious content. No scripts were extracted, limiting the analysis of specific execution methods.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8963

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thehawthornnyc.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083d1273bd37---16703485507.pdf
    • http://averon.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16071da0ef33ad---mimudijilared.pdf
    • https://3dreamvr.com/wp-content/plugins/super-forms/uploads/php/files/40747bbd2c709f95dcd40579005c9c95/98582289050.pdf
    • https://www.ferienhof-schneider.de/wp-content/plugins/formcraft/file-upload/server/content/files/16087a59ed2645---ludenewizurigawizosujexib.pdf
    • http://drinkandshrink.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16083edac364a6---paposavep.pdf
    • http://www.timtransportes.com/home/wp-content/plugins/formcraft/file-upload/server/content/files/16071d9c3478d1---80237790535.pdf
    • https://www.helmmsp.ca/wp-content/plugins/super-forms/uploads/php/files/cc2a3c45719c72c239cd6112943e049a/wumufu.pdf
    • https://www.arc-welding.co.uk/wp-content/plugins/super-forms/uploads/php/files/bqdir7g8ljs896oif0k4eph978/pipanakizopufiluvisuv.pdf
    • https://www.lamuccacompany.com/wp-content/plugins/super-forms/uploads/php/files/d6da599bd885d44a83eb1f9c75759cd4/63720862139.pdf
    • https://performanceltg.com/wp-content/plugins/super-forms/uploads/php/files/ab63381299d6716438b041a7ffc9232c/pololanukegoxelibuve.pdf
    • http://xn--e1aaafipco3bk8gra3b.xn--p1ai/upload_picture/file/51363672389.pdf
    • http://www.sunarpazarlama.com/wp-content/plugins/super-forms/uploads/php/files/s97f7idove1kmrc2np0e1ohcm4/17587232288.pdf
    • http://villaturri.it/wp-content/plugins/formcraft/file-upload/server/content/files/1608eaa5f9cece---nipivu.pdf
    • https://floorco.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/2e9da54cfc6f1a71d30c56b6e1dec5e6/68609021708.pdf
    • https://givemeit.ru/wp-content/plugins/super-forms/uploads/php/files/414ac8230448915126018d9922e04084/75572477682.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=cover+page+microsoft+word+template
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fdb3.bin
072dab704e59e2c575d82242ba84f0f24dd75978d5a2135b59e93a77911665b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDB3 5532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.