Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d94ff8ae748164e…

MALICIOUS

PDF

61.1 KB Created: 2021-05-07 05:10:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6175afcfb3c463d7fad5c7abb5b7ca13 SHA-1: 8a4aa28dd232915b1176e44d310894d16310a734 SHA-256: 2d94ff8ae748164ecc4b26b3522a5f433433c072d03fd28db728e18b9ee6511e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains embedded URLs pointing to potentially malicious PDF files hosted on compromised websites. The document body, though heavily obfuscated, suggests a lure related to a pathology textbook, likely intended to trick users into downloading and executing a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7813

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.doctor-carpet.com/wp-content/plugins/super-forms/uploads/php/files/5v7jq9a63ivh0mvqnaq0mk8894/8873902495.pdf
    • http://www.morenoroofing.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e2d79e21b7---78425266449.pdf
    • https://completecollegestrategies.com/wp-content/plugins/super-forms/uploads/php/files/ec5fa73e1208678fc0a03a5ba0e2942e/86368838793.pdf
    • https://sygimportaciones.com/wp-content/plugins/super-forms/uploads/php/files/3tp8cuc0bhu2e4o2773srq89na/26169189431.pdf
    • https://lerong.vn/wp-content/plugins/super-forms/uploads/php/files/f539c1101b6d91436c76006b4796ced5/45062149785.pdf
    • http://cohn-vossen.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606e3650484bf---gotowuzesujelegumefofu.pdf
    • https://smarttactic.ro/wp-content/plugins/formcraft/file-upload/server/content/files/16086a80768f52---73142294280.pdf
    • http://vtracauto.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607224d9ccbb8---57232448123.pdf
    • http://www.drop-lok.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084c1d71193d---suvikelumomolewediv.pdf
    • https://www.marbelitesa.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160849426b3e95---31874957633.pdf
    • http://www.argentum.com/wp-content/plugins/super-forms/uploads/php/files/4qdfs09c6v6uhmlk83c40lm74l/78940178875.pdf
    • https://www.qlsny.com/wp-content/plugins/super-forms/uploads/php/files/f7cff54bb6b84ddcb3b1c1c85f965d1a/47216497130.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/GLLx1DTH0VQ/uplcv?utm_term=pathology+textbook+for+medical+students+pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df87.bin
6f10f24a771c4b705c5895eaf7d3c9b0b873028d03f14d9eca2c3c858aea4d4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF87 5944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.