Malicious PDF — malware analysis report

Static analysis result for SHA-256 fecefda47ff2c607…

MALICIOUS

PDF

76.3 KB Created: 2021-02-28 23:47:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 932f99d7b1a90a0cf6d67b58b4321380 SHA-1: d5af4defe77fc77ea66d33159312be826ae99a94 SHA-256: fecefda47ff2c60766f75f36862d374759fe54f65a24eada75ecb01a3e4e55dd
94 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a URL that mimics a search result for a technical document, likely a lure to trick users into downloading malware. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were directly extracted, the presence of external URIs and the nature of the PDF heuristics suggest it's designed to facilitate the download of a malicious second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8993

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=introduction+to+aircraft+flight+mechanics+yechout+pdf+download PDF link annotation
    • http://kedutugadow.iblogger.org/bazivumizekabo.pdfIn PDF document text
    • http://migarosovimopem.22web.org/dizarijododof.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4475728/normal_5ff6c4550a784.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4483388/normal_60052da82df5a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4368750/normal_5fde8e4996688.pdfIn PDF document text
    • http://gulexamotapa.iblogger.org/kijokeluginisuzuliwox.pdfIn PDF document text
    • http://prostosite.site/fundamental_accounting_principles_free_downloadg706m.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387230/normal_601df55a45b9c.pdfIn PDF document text
    • https://cdn.sqhk.co/mogezunir/jd0N5uj/adventure_capitalist_earth_guide_2019.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409258/normal_602a304f81006.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4476954/normal_60011506d6c33.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417429/normal_601577c87c8ff.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4446015/normal_5fe044d2409c8.pdfIn PDF document text
    • https://cdn.sqhk.co/duxevowoli/kgdUCiH/suwonifapejogofe.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/votuweroxigezog/44624968248.pdfIn PDF document text
    • http://bobamexexaru.rf.gd/smapi_for_android.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011028.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11028 5584 bytes
SHA-256: bd587456908a2f0ba486000f73b958d995f7ca4b9f836602484235302b2912f8

Open this report in the interactive analyzer, or submit your own file for analysis.