Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd55c190ab0e110e…

MALICIOUS

PDF

76.3 KB Created: 2021-03-31 14:44:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4d1d8dfed571dcddaaf5a1a84c11d5bb SHA-1: ad08235b9298af1d05136b3a63b1dbed6e79c5ee SHA-256: fd55c190ab0e110e678cf2dc32bc9907661a1d8c74ba8e6d130fde8f3f0fe08e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'seumenha.ru', suggesting a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains metadata related to 'wkhtmltopdf' and a date, but no clear textual lure. The presence of numerous embedded URLs, many with unknown reputations, further supports the attack pattern of directing users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8808

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=iodine+value+wijs+method+pdf
    • http://remont-pc.website/6758000425621hs1.pdf
    • https://waxujonugo.weebly.com/uploads/1/3/1/8/131871493/jigofuko_tiboji_fuwas_wukasibon.pdf
    • https://sazavilekin.weebly.com/uploads/1/3/4/8/134851962/puvup-vegefe-gujapaja-xuwexexo.pdf
    • http://dimifepovez.22web.org/canon_lide_300_scanner.pdf
    • http://netewe9.xyz/886853273749wujn.pdf
    • https://cdn-cms.f-static.net/uploads/4464852/normal_604f6ccd636da.pdf
    • https://bezesigut.weebly.com/uploads/1/3/2/6/132681157/2075880.pdf
    • https://cdn-cms.f-static.net/uploads/4371004/normal_5fe79779e1bb0.pdf
    • http://baltika-trans.com/video_irma_fuenlabrada_pensamiento_matematicoronsr.pdf
    • http://gijofabenetawix.66ghz.com/idioms_worksheets_for_grade_5_with_answers.pdf
    • https://danupinizagene.weebly.com/uploads/1/3/1/4/131483344/wajata.pdf
    • http://study-english-05.site/96787935767ckel6.pdf
    • http://dress-russia.ru/sarurewuwulevurimeretonem7ouh.pdf
    • https://noresewikikizi.weebly.com/uploads/1/3/1/4/131453465/d2f987347a603f0.pdf
    • https://zewemoledomuro.weebly.com/uploads/1/3/4/7/134746436/pikoseriwuvepu-pemesamexeponi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/viboxikuz/dewalt_3400_pressure_washer_owners_manual.pdf
    • http://napidolir.rf.gd/delanuriwugideloli.pdf
    • https://s3.amazonaws.com/pibabopuduj/avery_labels_template_14_per_sheet.pdf
    • http://kojaburu.epizy.com/falal.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010258.bin
1a9fb880d7d64f1d4ed9b76c31e0d7c5dd6525dacd871f13fdd07627dac64709		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10258 5348 bytes
font_01_sfnt_off00011483.bin
b716b36f9931a7fcfccf4f7c5bfbae006dfbcb31b3e1e670536e5f54ebadc24b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11483 9548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.