Malicious PDF — malware analysis report

Static analysis result for SHA-256 fff7d1670feeb995…

MALICIOUS

PDF

58.3 KB Created: 2021-05-06 13:38:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f2636935a9071ca75e3bddb816957f9f SHA-1: 2ec291120f16f9fc96e4cda6437d8dbcf8f16151 SHA-256: fff7d1670feeb995ea275dfff2eb661cfe051b0018504911a0bafbaaa0dd6092
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as a malicious PDF by ML classifiers and ClamAV, indicating a phishing attempt. The document body, though heavily obfuscated, suggests a lure related to an 'admission letter'. The embedded URLs point to potentially malicious PDF files hosted on compromised websites, likely serving as the second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9507

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://paloaltospeakerseries.com/wp-content/plugins/super-forms/uploads/php/files/918da1b93a560f0f74b018805d0ed626/59971525297.pdf
    • https://tigercabinetry.com/wp-content/plugins/super-forms/uploads/php/files/495cd07c69aeeac10daf2babcc8128b3/1858741931.pdf
    • https://lightupalife.org.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607ca4551385a---bawilivabufotin.pdf
    • https://borderpak.com/wp-content/plugins/super-forms/uploads/php/files/76804f608873c0af81ece2f1a37e6372/kepiw.pdf
    • https://mercedesmazo.es/wp-content/plugins/formcraft/file-upload/server/content/files/1607ef51c4b309---48116624621.pdf
    • http://www.virtualaid.eu/wp-content/plugins/formcraft/file-upload/server/content/files/1608d08ea0b845---wosozulivozisogi.pdf
    • https://www.areatransfers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607a6f352d4c7---zixofuvunotimanevabalev.pdf
    • https://brylka-kfz.de/wp-content/plugins/formcraft/file-upload/server/content/files/16080b2b0b08b3---sopajotakejokodarodosa.pdf
    • http://www.odnpoznan.pl/fotki/file/file/42842114191.pdf
    • https://primax.fr/wp-content/plugins/super-forms/uploads/php/files/81ue81kvr4dcqd0ljb8sb51fk1/61713577257.pdf
    • https://www.bountyvacation.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e0c8e90a0a---popasetiniruzanuriderigi.pdf
    • https://www.duffylighting.com/wp-content/plugins/super-forms/uploads/php/files/9165a434bf8534dc05d0103dc2da9882/ruxel.pdf
    • https://greenturtleproductions.com.au/wp-content/plugins/super-forms/uploads/php/files/659a28db56769b64118b57ffaad83686/88240077628.pdf
    • http://alpha-cp.com/userfiles/file/fibunumus.pdf
    • http://snookerfootball.eu/wp-content/plugins/formcraft/file-upload/server/content/files/1608b626259027---nekuvaropuvokofajuxumavo.pdf
    • http://www.sunarsurdurulebilir.com/wp-content/plugins/super-forms/uploads/php/files/hl2ir2u7jt888b49caf4fvldh2/doganutof.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=atbu+admission+letter

Open this report in the interactive analyzer, or submit your own file for analysis.