Malicious PDF — malware analysis report

Static analysis result for SHA-256 18cdc8cc6abc1c14…

MALICIOUS

PDF

72.0 KB Created: 2021-03-14 14:25:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e10bb6ff73861c7b8fd14553bd34a203 SHA-1: d3b97bd6c4afbf1eb32947202d51da954056b34e SHA-256: 18cdc8cc6abc1c146b9b601a9b56da74cc18105d0a06e0751cf3a90cce6ac0fb
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URI pointing to a suspicious domain, likely intended to trick the user into visiting a phishing or malware distribution site. The document body, though heavily obfuscated, contains text related to 'aldosteronismo primario' and the authoring application, suggesting a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6871

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=aldosteronismo+primario+pdf
    • http://pixelbarista.com/allen__heath_gl2400_16_channel_mixer_price_in_india2wxio.pdf
    • http://paselon.getenjoyment.net/tosabajeru.pdf
    • http://tixaman.scienceontheweb.net/84634257412.pdf
    • https://cdn.sqhk.co/fowijuseziju/eqWnhjY/lokexevusawegijoluzi.pdf
    • https://cdn.sqhk.co/lodesejidi/5icij0y/vorimagudubovezozivan.pdf
    • http://mebelintera.ru/beniregunimajeduwukikekxter.pdf
    • https://cdn.sqhk.co/pifizumux/k1RjgNC/subterfuge_meaning_in_kannada.pdf
    • https://cdn.sqhk.co/zolewiko/jgejbQj/epsxe_android_cheats.pdf
    • http://nitafibejuze.mygamesonline.org/42846265798.pdf
    • http://gemofesane.medianewsonline.com/tuzowomefi.pdf
    • http://lobabinuladeri.medianewsonline.com/resumen_del_libro_el_llano_en_llamas_por_capitulos_el_rincon_del_vago.pdf
    • http://fusekimutoxi.sportsontheweb.net/budidaya_tanaman_bayam_merah.pdf
    • http://gudokav.sportsontheweb.net/lomovogu.pdf
    • http://lnstagramverifiedsbadgesforms.com/backend_testing_interview_questions_and_answersintih.pdf
    • http://fanisore.sportsontheweb.net/download_ableword.pdf
    • http://zijixiteluwek.scienceontheweb.net/my_fathers_dragon_movie_in_english.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/33337374-d675-4ed0-863d-13937fde1508/4216713966.pdf
    • http://wobanunep.myartsonline.com/foperaluzafipivijolas.pdf
    • https://uploads.strikinglycdn.com/files/4f3f8791-b868-4476-8d07-91b5826a89e9/epson_artisan_710_price.pdf
    • https://uploads.strikinglycdn.com/files/89f8fde7-6265-47ae-bd9a-69f456942ef9/pewosonuvujolepuwabovil.pdf
    • http://jisunopesaluzi.atwebpages.com/83115059987.pdf
    • https://uploads.strikinglycdn.com/files/13c536e9-ddcb-4011-8a8a-c5172bbadfff/nojagekomun.pdf
    • https://uploads.strikinglycdn.com/files/8e1d219d-d3c5-4fe8-82da-b365044b3161/how_to_put_kitchenaid_fridge_in_demo_mode.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef7b.bin
528efc7e6e29f3ba03331d35035263a5d6bb7575ea3fa3fff2b30197a31140b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF7B 5176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.