Malicious PDF — malware analysis report

Static analysis result for SHA-256 2dc8ae8da94cebe3…

MALICIOUS

PDF

74.4 KB Created: 2021-05-02 19:03:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 253cdb7653a904f58b200e4282074dc2 SHA-1: be8185ea0340f3831ac68a5ef908a5999b1fef94 SHA-256: 2dc8ae8da94cebe3dc0348a8f41dcbc1ff6cbafda1d30bb20188ef6a625667a8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL pointing to a suspicious domain, likely intended to host a malicious payload or phishing page. The document body, though heavily obfuscated, suggests a lure related to 'human rights summary'. No scripts were extracted, but the presence of external URIs and the overall detection profile strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=derechos+humanos+lista+resumen
    • http://budivev.scienceontheweb.net/spoken_english_course_in_telugu.pdf
    • http://mapotilij.mygamesonline.org/lavodixulepajaxelubegow.pdf
    • http://zobotalemogi.sportsontheweb.net/timosagotiviwadodiv.pdf
    • http://guzoseta.getenjoyment.net/ukulele_songs_book.pdf
    • http://sifaritube.sportsontheweb.net/seviselufipoxigumuxu.pdf
    • http://bitunowaluf.sportsontheweb.net/tabla_de_capacitores_comerciales.pdf
    • http://xiwakaravivomik.scienceontheweb.net/27303928217.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9e8720dc-e1a0-414a-aa08-ca3339ecc06c/el_alquimista_paulo_coelho_de_que_trata.pdf
    • https://s3.amazonaws.com/gowupuzokowuxes/2498897701.pdf
    • http://megigezorozo.atwebpages.com/58981375691.pdf
    • https://uploads.strikinglycdn.com/files/0740329e-e0f9-41a1-82c9-f2674b482d2d/summary_of_paul_bunyan_and_babe_the_blue_ox.pdf
    • https://f270a619-8d23-4dc9-95fa-a4320df4b75e.filesusr.com/ugd/7bd364_e53353c9ad1a4b34a23ca87bb9d4f977.pdf?index=true
    • https://7b9449e5-51e9-4a7e-81f5-8587c42320f9.filesusr.com/ugd/571bad_643343ad6b1b4bac848fa4b6256d6034.pdf?index=true
    • https://s3.amazonaws.com/jitimesolagun/what_is_after_a_new_moon.pdf
    • https://uploads.strikinglycdn.com/files/5dd1ba7a-8978-4111-9d6d-66b49293cd76/under_the_dome_season_1_episode_13.pdf
    • https://s3.amazonaws.com/tabobujimo/midas_m32_manual.pdf
    • https://f11c4bf2-12a6-49f8-9590-07a94b689168.filesusr.com/ugd/11276f_f35fb01579ff46fa82ad273dafb0fbe7.pdf?index=true
    • https://s3.amazonaws.com/piwupevivotixi/37077796140.pdf
    • https://f0ddeb88-3549-4a27-8821-6e3dd713f165.filesusr.com/ugd/2b74da_2d318d47ca67409595c8aa50126a40b1.pdf?index=true
    • https://s3.amazonaws.com/sumesawoxajew/rezalokiwuxemupoxelut.pdf
    • https://c01188fd-d8af-4b86-846b-090f7ecd58d8.filesusr.com/ugd/9058e5_e03ca8caa5a84a6588b283042ac271e6.pdf?index=true
    • https://6200e599-3f2f-4e3e-ab45-e6977ed7e777.filesusr.com/ugd/f8de3e_6ada1366ab37449d9b29986ab93abf73.pdf?index=true
    • https://e0fa0743-814d-41de-b6a5-47f787911882.filesusr.com/ugd/89d2ef_486012979ace4b3480ee5f0036581e9c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e6ac.bin
d480b2f0acdcf452a5d3de0a3bc2c7f15f3ac1d506140cf7eb6a7bced8cb0f67		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6AC 5036 bytes
font_01_sfnt_off0000f7a1.bin
dc3a22da2f5fbb4ee9c1ad1bc1ccde33fae53170250ba2c587fb511813d357a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7A1 10800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.