PDF malware analysis — malicious · 06c4ce50b3a4fa4a

MALICIOUS

PDF

77.5 KB Created: 2021-06-11 09:12:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24

MD5: ec1b1f8496887949c3f478c9be7a7742 SHA-1: 0587b9a9277fb4bfd4f4e77304cc7078e8550395 SHA-256: 06c4ce50b3a4fa4a45c7640d8e471625f46eb2737ca7d4df7c6d66364f7cf71e

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating an external URI and is flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The embedded document body text, though partially corrupted, contains the phrase 'Aladdin full movie online', suggesting a lure. The primary IOC is the external URL found within the document.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://wastran.ru/pbw?utm_term=aladdin+full+movie+online PDF link annotation
- https://cdn-cms.f-static.net/uploads/4458614/normal_60b8aa9b0071f.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4492901/normal_5fe0299e8a9da.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383806/normal_60436b6ce3653.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4444622/normal_6012e49b2c5ac.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4404121/normal_603c511f16095.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4506131/normal_6035e27f94443.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4420235/normal_60075a308c7bd.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/7a5fcc11-b04f-4347-aae4-583fd504f252/rotebi.pdfIn PDF document text
- http://visetululiv.pbworks.com/w/file/fetch/144423345/forge_of_empires_generator_2020_winter_event.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/246c35c5-7c37-49c4-a736-217814c95151/55572288481.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4179c824-b035-4854-91a7-bd8d873ba5ad/sosiwazevexuf.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/74d93f92-ea0b-4cd0-9ac2-815855f3aaaa/zuwuxogolepel.pdfIn PDF document text
- http://fuzobonesujo.pbworks.com/w/file/fetch/144824322/ruripejaxixulam.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1ae99654-5d50-43b6-860c-4530ebcc1b24/54892341576.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a5214342-1af1-43f1-b08b-556aaa714a65/52435370087.pdfIn PDF document text
- http://jajafad.pbworks.com/f/sakusidanurobegi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c651ed6d-601b-48ac-ac0c-1aac7c004080/74226429549.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e815cd51-0151-4e2b-9972-b3b2b4c0aad5/84158792661.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2b63022a-44ac-4f26-91fe-b1c15f8bd7dc/ovid_metamorphoses.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/30c99a55-93c6-4763-a753-0ca08673440b/padokovatosiwubamapade.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/37661175-0135-43f5-987a-0f230260f215/ejemplos_de_oraciones_con_complementos_directos_indirectos_y_circunstanciales.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a69a23b7-f168-4f5c-9eb8-1d88a3d9d799/apartment_rent_history_nyc.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/60509dcd-cca6-4395-8ad5-9fdbd6614869/4065357327.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f2b8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF2B8	4828 bytes
SHA-256: `78df81d07aef33dbf135843ffc76d18691a4e665013128c8b36e6ac61cd70d3a`
`font_01_sfnt_off00010324.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10324	11128 bytes
SHA-256: `24456f0f4dc1ce83781330899226d19c8436711868d1f52b3d5d3b16c0e9ee05`

Open this report in the interactive analyzer, or submit your own file for analysis.