Malicious PDF — malware analysis report

Static analysis result for SHA-256 facb2a9350a50365…

MALICIOUS

PDF

78.9 KB Created: 2021-02-02 19:54:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9e567845bfdc8976574eeb910a99a94f SHA-1: d2d27727d7230afb9571afa968ed8a89bcfd69b7 SHA-256: facb2a9350a5036575016de26516b988a2e9304238cb53c0cd1242fe95225cba
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is malicious and a phishing attempt, with an embedded URI pointing to a suspicious URL. The document body, though heavily obfuscated, suggests a lure related to an answer key. The presence of multiple PDF-related URLs and the ML classifier's high confidence score further support its malicious nature. No scripts were extracted, but the embedded URI is a primary indicator of a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9549

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/123?utm_term=biology+unit+3+test+answer+key
    • https://cdn.sqhk.co/remimidotomi/uiiiaG2/72189293051.pdf
    • https://cdn.sqhk.co/xejudawadoni/qugclhc/xarutigoj.pdf
    • https://vokubopupabilu.weebly.com/uploads/1/3/4/6/134691430/1b619eee89a95c3.pdf
    • https://static.s123-cdn-static.com/uploads/4421215/normal_5ff686963e99d.pdf
    • https://cdn-cms.f-static.net/uploads/4392444/normal_600ce5640bd03.pdf
    • https://static.s123-cdn-static.com/uploads/4421049/normal_5ffa2db99ff6b.pdf
    • https://static.s123-cdn-static.com/uploads/4392647/normal_60093dc516cd2.pdf
    • https://rikulaseno.weebly.com/uploads/1/3/4/4/134471776/pojukip.pdf
    • http://kixorita.22web.org/information_technology_management_for_business_northumbria.pdf
    • https://bopunesarikimar.weebly.com/uploads/1/3/1/4/131453984/wetutexa_vifekivafozim_gifavevuwu_sajakamawo.pdf
    • https://jepejopik.weebly.com/uploads/1/3/4/6/134610321/jejotu_wobixadej_sanifilabijug_xizew.pdf
    • https://cdn-cms.f-static.net/uploads/4375200/normal_601067cc78b19.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/regovadeje/investor_presentation_powerpoint_template.pdf
    • https://s3.amazonaws.com/tibitexil/target_sheets_twin_extra_long.pdf
    • http://gagisejokunego.rf.gd/61515902448.pdf
    • https://s3.amazonaws.com/jiguwuzobozobaz/tiret.pdf
    • https://s3.amazonaws.com/regovadeje/mt_everest_guide_salary.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001222d.bin
f4597dbf60e55b4e423030eeec371d7057b41cb188a50f2a4112a8bb8486ed62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1222D 5324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.