PDF malware analysis — malicious · 11257d6ff40185a3

MALICIOUS

PDF

79.8 KB Created: 2021-05-25 03:22:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23

MD5: 1172a990f5642c41a0869fb813fe9f6a SHA-1: cbcd5550b51f171fd5a4f4e7186800549c0b3d55 SHA-256: 11257d6ff40185a30ec675a1bae0e4d1d3e893da5adea44f65aafb337e560fed

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. The embedded URL, 'https://jumiwimov.ru/strik?utm_term=los+renglones+torcidos+de+dios+pdf+para+descargar+gratis', suggests a phishing lure related to downloading a book. While no scripts were explicitly extracted, the PDF structure and the presence of external URIs indicate a potential attempt to redirect the user to a malicious site.

Machine Learning

Nyx PDF Classifier malicious score 0.9990

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://jumiwimov.ru/strik?utm_term=los+renglones+torcidos+de+dios+pdf+para+descargar+gratis PDF link annotation
- https://cdn-cms.f-static.net/uploads/4476751/normal_604ba82264b55.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4391954/normal_60566da7e689f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4386606/normal_601b93a2b32eb.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4414167/normal_601bb028e0191.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4453906/normal_60677e0f5d923.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4410018/normal_606544b38d789.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4481156/normal_5fc7f6fc1cc54.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4501482/normal_606b1de6435d6.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4369766/normal_5fcacd5bbbe66.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4391326/normal_5fdfaf573c9ab.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4459025/normal_5ff665bd609cf.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4481695/normal_6059262bca96a.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/3da07b22-03bb-4540-ad0a-73f793a72b2f/16181342506.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/accccbcd-b3f1-4644-afcd-ed26a2f3a9c3/how_to_write_a_professional_cv_south_africa.pdfIn PDF document text
- https://s3.amazonaws.com/bededuxotulapil/52627532531.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/44b8c245-74dd-4c8c-824c-aa7c174f82bb/intex_saltwater_system.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b8917839-c994-4184-955e-faac2add711f/pokemon_sun_and_moon_series_episode_5_in_hindi.pdfIn PDF document text
- https://s3.amazonaws.com/ropidadegaxut/diagrama_de_casos_de_uso_ejercicios_resueltos.pdfIn PDF document text
- https://s3.amazonaws.com/moduxanakuri/ffxiv_leveling_guide_30-_40.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/508a80fa-0770-4d63-8357-748956df9ec3/thank_you_maam_open_book_test_answers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ac2fcde9-c245-4b0f-9ff0-83d0ea28aa61/refibevaxunuma.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b561a5a6-8957-4cf4-9031-b8e1a9e7a7fe/20572253668.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f182c696-ee0b-4d94-b582-19d6301cb38e/1110710209.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/96a8681e-3231-4103-8ac1-62294d3f6170/58542537903.pdfIn PDF document text
- https://s3.amazonaws.com/wexukufedepim/15917850649.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e026.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE026	5264 bytes
SHA-256: `1dda28412adaf985ce662fb31ccfed889573424de4c0678457a582fee6293898`
`font_01_sfnt_off0000f21f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF21F	11940 bytes
SHA-256: `c1cd689888ac228655d8f63ed611a508997ce75276e47dd8af0af831cd33d1a1`
`font_02_sfnt_off0001197d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1197D	16140 bytes
SHA-256: `5bfda07072dd2e1b0df7f1680a75ba616774ec51e1a09c257f000ba239241e1c`

Open this report in the interactive analyzer, or submit your own file for analysis.