PDF malware analysis — malicious · 18256d19210d0c30

MALICIOUS

PDF

69.7 KB Created: 2020-12-25 19:57:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 95420a969cfd65da10e61cb8c42b4552 SHA-1: dc39b0177b042b0baf79c4d952b09eb7d5b475f0 SHA-256: 18256d19210d0c30dd19dd5111e1325ff4f01007471417f295be58ed5947188a

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF document contains a malicious URL and a heuristic firing for a download button lure, indicating a phishing attempt to trick users into downloading cracked software. ClamAV detection as 'Pdf.Phishing.Trojan' further supports the malicious nature of the file. The embedded URL is likely used to deliver the malicious payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafffe.ru/aws?utm_term=crack+autocad+2010+64+bit
- https://cdn-cms.f-static.net/uploads/4390681/normal_5fc2b80cc96da.pdf
- https://static.s123-cdn-static.com/uploads/4443292/normal_5fcd59036c134.pdf
- https://static.s123-cdn-static.com/uploads/4374022/normal_5fcfb8aee3222.pdf
- https://cdn-cms.f-static.net/uploads/4490121/normal_5fda54ea55916.pdf
- https://cdn-cms.f-static.net/uploads/4424361/normal_5fb4083c6a892.pdf
- https://cdn-cms.f-static.net/uploads/4409393/normal_5fbc0395df882.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/d8e92c48-0143-4872-81d4-7fc71f08c4de/apt_spring_green_rain.pdf
- https://uploads.strikinglycdn.com/files/70f38e40-abd1-4cbd-b19c-6eaaa2b3e810/the_battle_of_the_labyrinth_page_count.pdf
- https://uploads.strikinglycdn.com/files/fe8fd44d-071a-4523-b4db-5d165f290781/55079773942.pdf
- https://uploads.strikinglycdn.com/files/17564e3d-3927-4678-a96e-82e68bae1c86/54189927598.pdf
- https://uploads.strikinglycdn.com/files/cc11d83b-6a90-43f5-b93a-938623bc004a/ratapudigabofof.pdf
- https://uploads.strikinglycdn.com/files/8574cd37-8c13-4622-b934-959c69d7608b/rajenabikopux.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d3c7.bin` `ad0d0f73091a5bfd3f015b0f7bb87ea0269e2b99bc3af41dadaaf5609749f451`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD3C7	5400 bytes
`font_01_sfnt_off0000e631.bin` `8b8e84922933a755e43dfb3ef36bd5d9c5537576d42070947b8d6f8964222dde`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE631	10424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.