Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e7854f2370708a7…

MALICIOUS

PDF

77.0 KB Created: 2021-03-14 03:19:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0c3e7a644117cc222ca3ef519dcaad55 SHA-1: 7df08bee9550303e925ea74925e3c6738587bf48 SHA-256: 8e7854f2370708a7193d2602c1772bf15638bc573e66287ebd471ec96d16ec68
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is a common tactic for phishing campaigns. The document body, though heavily obfuscated, suggests it is presented as a PDF file related to 'Dogmatismo vs escepticismo'. No scripts were extracted, but the presence of external URIs indicates an attempt to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=dogmatismo+vs+escepticismo+pdf
    • https://cdn.sqhk.co/rureroso/jejcohb/history_of_southeast_asia_podcast.pdf
    • https://cdn.sqhk.co/mofosalamo/Ghdo7cf/run_movie_review_bookmyshow.pdf
    • https://nurosizakudagag.weebly.com/uploads/1/3/4/6/134699554/3236866.pdf
    • https://xoverepidagagit.weebly.com/uploads/1/3/4/4/134469055/9885432.pdf
    • https://nakigere.weebly.com/uploads/1/3/4/6/134608851/zubemek.pdf
    • https://cdn.sqhk.co/vasibejovej/buXjehb/92343182388.pdf
    • http://top-odejda.com/what_are_the_7_elements_of_a_story_and_their_meaningp3x6u.pdf
    • http://qiwi-wallet.online/android_backup_contacts_waiting_to_backupc6klk.pdf
    • http://repaircreditscore.info/imagenes_de_caritas_tristes_con_frases_chistosasrvxjx.pdf
    • http://ttttrrrr.space/a_link_to_the_past_full_mapajrhj.pdf
    • http://cleaner360.shop/53759708410opcrg.pdf
    • https://cdn.sqhk.co/viwiratoposu/kjiMggS/ww2_plane_hawaiian_shirt.pdf
    • http://lnstagramverifiedbadge-form.com/pakistan_economy_mcqs_latest_with_answersanbij.pdf
    • https://lirisosu.weebly.com/uploads/1/3/1/3/131384099/7662875.pdf
    • http://tophomework.space/adobe_photoshop_lightroom_pc_apkyadaj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a4842489-fcf5-4c88-a7a4-ec7688bcda9c/25589914631.pdf
    • https://uploads.strikinglycdn.com/files/7fbf774d-ea8d-40ec-8468-09938f599cad/1544489734.pdf
    • https://203aa715-7352-46b1-b16b-5d0aeeaa27a2.filesusr.com/ugd/0582e0_2cdd10e316e74c3082c873c4a6b25130.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9e2748d6-89dd-43b5-98d4-39a2c0ee277c/74691991136.pdf
    • https://uploads.strikinglycdn.com/files/3dcce7e0-9966-4c03-9088-e848915cd1eb/91051863771.pdf
    • https://b615eccc-4413-4b1d-8109-ede925130a83.filesusr.com/ugd/0994f9_4b3057d1cb384d299fc2aeaaf3809c15.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8618beac-ba7c-4ada-a7a4-7d0464cc8df2/how_to_turn_on_the_nordictrack_s22i.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed33.bin
3806e86366df831e5d3dd73df86504665b1dae874e9470849589966d43b9d3ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED33 5404 bytes
font_01_sfnt_off0000ff9a.bin
3ade39254666a9f7d98cd3c5964001f967edd06e59d3a20a397d84fa72b45a55		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF9A 11608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.