Malicious PDF — malware analysis report

Static analysis result for SHA-256 8bbd3728d348425d…

MALICIOUS

PDF

58.7 KB Created: 2021-04-30 07:00:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 11cc4887e3c71384f12e9bbabf4113ba SHA-1: 2d69b07a42556d477930e75c5055d5f61bd03661 SHA-256: 8bbd3728d348425d1d4990075ccc840715352adc2fab6dc2ac84391e3c42e1c1
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ML classifiers and ClamAV, indicating it is a phishing attempt. The embedded URLs and the document body suggest a lure to download a malicious PDF disguised as an editable Venezuelan ID format. The presence of multiple suspicious URLs points to a phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8253

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://allegroescrow.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081fac0f2a92---dodewedidale.pdf
    • https://glowskincare.net/wp-content/plugins/super-forms/uploads/php/files/9224e4d44b88672a4ae9d805e07cc95c/matazubuvon.pdf
    • https://elpmarketing.ca/wp-content/plugins/super-forms/uploads/php/files/ef4592c7657bcd2ff3b21c87c013fd74/13442031768.pdf
    • http://lalitas-thaimassage-spa.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607640f5ace35---97891475941.pdf
    • https://veglifekc.org/wp-content/plugins/super-forms/uploads/php/files//43780266769.pdf
    • https://rmdschoolandcollege.com/wp-content/plugins/super-forms/uploads/php/files/kopb3a3cqm6a0l5m29c1fjiv33/67364353519.pdf
    • http://recruiters-zone.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087435c3eff7---pipapuxotegutirular.pdf
    • https://vuaship.com/wp-content/plugins/super-forms/uploads/php/files/v2mnnid12gvpo8i2adlvr6u5r9/sogut.pdf
    • https://claphamjunction.com.au/wp-content/plugins/super-forms/uploads/php/files/547851d11092df95bf95c961fcc4f164/matonaredijemebijulanes.pdf
    • http://lawcab.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1606ec4c28d614---ruselaxi.pdf
    • https://advicezone.org.uk/wp-content/plugins/super-forms/uploads/php/files/oqtsr1j6noihudn3fherjrrbv6/tilonolodimo.pdf
    • http://makaifruits.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606dca698c812---49579018998.pdf
    • https://buddingheights.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606d93d8ec68d---78797392273.pdf
    • https://40parables.com/wp-content/plugins/super-forms/uploads/php/files/81b3e83c9bbe7c443e547a5cb56096f7/91427632567.pdf
    • https://www.baptistenhardenberg.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16083b938ca1eb---58597972261.pdf
    • http://pavcargo.ru/wp-content/plugins/super-forms/uploads/php/files/c7829c4ab96521e7cef85e59c34e5820/82549719500.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/fzgW7-mxBc0/uplcv?utm_term=formato+de+cedula+venezolana+editable
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce3b.bin
591c7731ff6cf03fe0d3e9e597a5644f9f8b3480670eaecf1849393f94efa649		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE3B 5112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.