Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e5ee0776f6d45ec…

MALICIOUS

PDF

183.8 KB Created: 2021-03-09 13:37:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93b1b1617395fe8fdbf46327a43599d4 SHA-1: ed4352335c8d5e47a46165f600cf5f0ed29c7040 SHA-256: 2e5ee0776f6d45ec8b033fd8420001e42ab5ed3f19490fc94600ac485dbf4485
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, which is a strong indicator of a phishing or malware distribution attempt. ClamAV detection and ML classification further support its malicious nature. The document body, though heavily obfuscated, suggests a lure related to medical guidelines, likely to trick users into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8782

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=2020+aha+guidelines+for+cpr+and+ecc+pdf
    • https://cdn.sqhk.co/tinulafi/iajbjhj/sulakugoserekidiparexuvu.pdf
    • http://dajazadek.22web.org/zusixugufabexenun.pdf
    • https://nonujokos.weebly.com/uploads/1/3/0/7/130775252/zoraduxezupuxiginar.pdf
    • http://ukrdomonis.xyz/codex_chaos_knights_8th_editionxkz7b.pdf
    • https://cdn.sqhk.co/kubepugemaki/djaihgj/stress_management_skills.pdf
    • https://lidafeli.weebly.com/uploads/1/3/4/6/134683499/xulebodosisutisof.pdf
    • http://devgame.design/fusamemikelakowupanw5sy0.pdf
    • http://rabota-plus.club/advanced_race_guide_pathfinderuvy6b.pdf
    • https://getifejijepe.weebly.com/uploads/1/3/0/7/130739552/7078853.pdf
    • https://judozonax.weebly.com/uploads/1/3/1/4/131454501/0a05f3ee72.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/588283ce-8046-4051-b43f-b910e327c3c6/feguvewekozazidatutu.pdf
    • https://uploads.strikinglycdn.com/files/46c4c83a-a1e9-4494-aa90-c3c6d0022355/autocad_certification_online_free.pdf
    • https://uploads.strikinglycdn.com/files/95b7aef2-cb9a-4461-a606-cb3016ccde5b/37132377763.pdf
    • https://3dcfbd4a-ef33-49dc-a04a-0aaf5307c30d.filesusr.com/ugd/b47706_445ebef7223547daa324d28e50150be9.pdf?index=true
    • https://f64a1a0a-debf-4843-a838-a34c0cae0f4a.filesusr.com/ugd/89602e_b0111bb4f73f4868a170e895ec4bbeac.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b46bfa56-1245-4f3b-ba9e-ab222faec4f9/geforu.pdf
    • https://e1cd7dcf-8988-4be8-9b1a-722367337987.filesusr.com/ugd/6203b9_b58f004e09c74feab23c7bff51b9c3c1.pdf?index=true
    • http://dazigeles.rf.gd/87092177450.pdf
    • https://uploads.strikinglycdn.com/files/b23c91d9-aa25-47b6-9396-33a042373407/kewije.pdf
    • https://1a6c606f-1efd-495f-9370-57f425d809fd.filesusr.com/ugd/1be480_6a7a1c57e88d4e0e8f84fe59d77cff5c.pdf?index=true
    • https://584dc5e1-4449-4bca-b3d9-d0e1fa08a972.filesusr.com/ugd/185caa_69292e4b397e4060b3c2d57c6f546a26.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000295e7.bin
b719e70be0b04e61285f6d83d275e3ccdb1b81a2059b83424f421dae3a07e08d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x295E7 5396 bytes
font_01_sfnt_off0002a821.bin
93418c58d857d289310ddf1fe2446edb582dd10df99c7ca6ef88763000ff990e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A821 16476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.