Malicious PDF — malware analysis report

Static analysis result for SHA-256 10e538eca633f8c5…

MALICIOUS

PDF

80.5 KB Created: 2021-04-22 12:12:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 27dd37b55212426dac7e42280538fde0 SHA-1: dca7d428ffd68a8f3f4694723ee622be0a819623 SHA-256: 10e538eca633f8c5651ee7c4e6f6bcc20859ae6beb8047b27bc7b346176a1544
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains an embedded URL pointing to a suspicious domain, disguised as a free download for a '2010 ford ranger repair manual pdf'. ClamAV detection and ML classification strongly indicate malicious intent, likely phishing or malware distribution. No scripts were extracted, but the embedded URL is the primary indicator of a malicious download attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=2010+ford+ranger+repair+manual+pdf+free+download
    • http://fiwogozugoxiget.22web.org/traditional_workbench_plans.pdf
    • http://xofenejilomoz.iblogger.org/mastoidite_tratamento.pdf
    • http://nimened.66ghz.com/dakokimiparejawadoxeje.pdf
    • http://merogerofame.66ghz.com/xujasasukadaniwin.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/08c20a5b-0dc6-4858-a4b0-40ad420b9dfd/adidas_employee_store_portland_pass_2020.pdf
    • http://sarigeselos.epizy.com/givisuniwipivoku.pdf
    • https://s3.amazonaws.com/tevigotu/nigilunedizuv.pdf
    • http://genenapukiral.epizy.com/xamute.pdf
    • https://uploads.strikinglycdn.com/files/ac896321-13e7-4d9e-9643-67cb9ebbb319/how_to_pass_driving_theory_test_uk_2020.pdf
    • https://uploads.strikinglycdn.com/files/2d9762ba-7417-417b-bf9e-6e4362be1c03/does_burger_king_still_have_the_egg_normous_burrito.pdf
    • http://legopabez.rf.gd/jingle_bells_piano_sheet_music_free_easy.pdf
    • https://uploads.strikinglycdn.com/files/04d2dd1b-aae8-4bb1-be71-8f9c9f4b79bb/rixuxojazonur.pdf
    • https://uploads.strikinglycdn.com/files/11a8fd7a-9884-4673-97a1-f042ac99016b/is_there_a_cheat_to_make_your_sim_go_into_labor_sims_4.pdf
    • http://sajojuwew.rf.gd/wheel_of_time_characters_age.pdf
    • https://uploads.strikinglycdn.com/files/3b64b518-774e-4cf3-a100-8831053f6801/learn_python_3_the_hard_way_4th_edition.pdf
    • http://pitikepaz.epizy.com/ensayo_adentro_miguel_de_unamuno.pdf
    • https://uploads.strikinglycdn.com/files/03da5dd8-f530-4ad3-8ef7-ba679162a378/managerial_skills_meaning.pdf
    • http://gipizaz.rf.gd/drip_irrigation_application_form_maharashtra.pdf
    • https://uploads.strikinglycdn.com/files/2b986fcd-fa8d-4b81-8485-5bf2beb39e33/zepava.pdf
    • https://uploads.strikinglycdn.com/files/9ecf9d04-1698-40ae-a9f7-bdeca24496ab/bodugigapiritati.pdf
    • http://vulebodifoguvar.epizy.com/analise_sintatica_portugues.pdf
    • https://s3.amazonaws.com/kokesatodixon/kathi_telugu_movie_songs.pdf
    • https://uploads.strikinglycdn.com/files/8e7d32ed-0cc7-4554-ae3e-ef16b27bcc58/zejovopuzanevusipapure.pdf
    • http://voperafabekom.epizy.com/biology_answer_key_2019_12th_gseb.pdf
    • http://beduxuluwuniva.rf.gd/ropituzizixosejufigof.pdf
    • http://pifowatasaputi.epizy.com/ganapati_atharvashirsha_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fafd.bin
58510d64d9916375305737e963f80ec64888881bca3dd675ae9b071682611725		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAFD 5504 bytes
font_01_sfnt_off00010dbf.bin
48937cba90786677ee99cfda4631b89fe1653b413b060ddf15fa87bd8f041c61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DBF 11556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.