Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8f5792ce7ebcb14…

MALICIOUS

PDF

776.2 KB Created: 2013-06-18 03:29:06 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org)) First seen: 2021-05-29
MD5: edd6bf1b5902393a6f9aab989ba14c32 SHA-1: d8c5713d411af9d35d7aaea43d3a5f707101f4a1 SHA-256: c8f5792ce7ebcb14c9b03c852f88b19cd7804b1e6aaf97b1a543ceeaa810486e
134 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The sample is a PDF file flagged by ClamAV as Unix.Trojan.PhpBackdoor-9354530-2. Static analysis detected an eval() call within the PDF structure, indicating the execution of arbitrary code. This is further supported by the ML classifier's malicious prediction. The embedded URL, while marked as benign, suggests a potential initial point of contact or lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5040

Heuristics 4

  • ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.natalbrasil.tur.br/en/destinations_about_natal.php In PDF document text
    • http://www.otempoeovento.com.br/ingles/index.htmIn PDF document text
    • http://www.safarihotel.com.br/ingles/ohotel.phpIn PDF document text
    • http://www.iip.ufrn.br/?pg==AFVxIkVWp1VW1mVXN2RxcVVwAHSZ1GdPZFbSh1UsplV&lang=enPDF link annotation
    • http://www.ifi.unicamp.br/inctiq/index_ing.phpIn PDF document text
    • http://www.iec.chIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00001ad7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1AD7 91432 bytes
SHA-256: 5b0765156a7522e1b20f16cb911bf3a03d568d8ee9f5cab18481d8449fa81040
stream_005_off0000d02a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD02A 264072 bytes
SHA-256: a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc

Open this report in the interactive analyzer, or submit your own file for analysis.