Malicious PDF — malware analysis report

Static analysis result for SHA-256 fccb7f376193ec22…

MALICIOUS

PDF

62.7 KB Created: 2021-04-05 05:18:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0d835fdaf929a7fd409edaf492323823 SHA-1: 1446272a047425bada59ce16353162a764732814 SHA-256: fccb7f376193ec228c2c0bdec6228faf9b3958b004cc21f1ef4cdb1c5e92ec6e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing an embedded URI pointing to a suspicious domain, flagged by ClamAV as Pdf.Phishing.Trojan. The ML classifier also indicated a high probability of maliciousness. While no scripts were explicitly extracted, the PDF structure and the presence of external URIs suggest an attempt to redirect the user to a malicious site, likely for phishing or to download a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6615

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=caperucita+roja+adolfo+serra+pdf
    • http://zobotalemogi.sportsontheweb.net/47497140172.pdf
    • http://tapozifokun.mywebcommunity.org/dibobirewefoxenupasitiloj.pdf
    • http://serovakarara.mygamesonline.org/pamewubiz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f850bb3d-165f-47de-ba71-f8e45668ced4/hoover_dual_power_max_carpet_washer_fh51000_manual.pdf
    • https://s3.amazonaws.com/xutomoxu/amaravathi_movie_ringtone.pdf
    • https://uploads.strikinglycdn.com/files/4b888ca8-c1a2-45ca-9575-5ff23db5eec5/runipe.pdf
    • https://uploads.strikinglycdn.com/files/492ce75e-517b-4587-a7e8-d12d45ce879b/nikalivizetizonufokimu.pdf
    • https://uploads.strikinglycdn.com/files/be48772e-f91e-492c-bd4e-9f7301d23629/kesugakivubozobugesowafa.pdf
    • https://s3.amazonaws.com/nalifij/books_on_social_media_marketing.pdf
    • https://uploads.strikinglycdn.com/files/e25ca9fe-f1ee-45e6-9ed5-2547cb57c4b5/zojirushi_bb-cec20_parts.pdf
    • https://s3.amazonaws.com/jemazejodep/brush_lettering_worksheets_printable.pdf
    • https://s3.amazonaws.com/voxipanovigepiv/bazogufolufaponate.pdf
    • http://vewosax.rf.gd/eichhornia_azurea.pdf
    • https://s3.amazonaws.com/vukusa/bigutinatilufezasi.pdf
    • https://s3.amazonaws.com/bopuxosavubare/ziguju.pdf
    • https://uploads.strikinglycdn.com/files/9e7cdd52-5fa6-4a7e-9404-ff25e11ef6a7/60005107365.pdf
    • http://ketanuviz.epizy.com/rifuri.pdf
    • https://uploads.strikinglycdn.com/files/3af94108-02af-48f5-9c17-e62860ac9c21/how_do_i_love_thee_let_me_count_the_ways_poem_analysis.pdf
    • https://s3.amazonaws.com/belapawerezuju/angular_4_formgroup_in_formgroup.pdf
    • https://uploads.strikinglycdn.com/files/f0b474a5-25fe-4aff-b065-366d126369a0/c_programming_language_basics.pdf
    • https://uploads.strikinglycdn.com/files/ce943688-3d9c-47b1-a358-808baf789492/how_do_i_light_the_pilot_on_my_wall_heater.pdf
    • http://verirajoxa.epizy.com/2006_chevy_trailblazer_service_manual.pdf
    • https://uploads.strikinglycdn.com/files/c611ff46-ea8a-4c4f-b376-ad990b8cb434/jijugawasinurarazufona.pdf
    • https://s3.amazonaws.com/rawesaragegugar/radorov.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee33.bin
7c5417d63fddbac0414fe12e7dbab4c0e2f32285cd05c55fb339dcfa142e3460		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE33 5132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.