PDF malware analysis — malicious · 22d7264866f257f5

MALICIOUS

PDF

82.7 KB Created: 2021-03-14 13:46:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1782268cb7ec46622fbc14bfbf720fcd SHA-1: 247a137723f7457381a630f9e5d05c19e08fb6b2 SHA-256: 22d7264866f257f588ee31c51108171bc775521023d569f30667d9a6cd1886cf

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL. The ML classifier and ClamAV detection strongly indicate maliciousness. The embedded URL, https://seumenha.ru/award?keyword=gest%25C3%25A3o+e+administra%25C3%25A7%25C3%25A3o+de+empresas+pdf, is likely the primary vector for a phishing attack or to download a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://seumenha.ru/award?keyword=gest%25C3%25A3o+e+administra%25C3%25A7%25C3%25A3o+de+empresas+pdf
- http://dejogemo.22web.org/webabidodaxutezuroloj.pdf
- https://static.s123-cdn-static.com/uploads/4367656/normal_600515e5ddec9.pdf
- http://wamipivifubape.sportsontheweb.net/tigapoxipurezujorel.pdf
- https://static.s123-cdn-static.com/uploads/4483349/normal_5fc9dbb21f3bc.pdf
- http://rivozuzeno.mywebcommunity.org/percy_jackson_3_the_titans_curse_movie_release_date.pdf
- https://dijekoko.weebly.com/uploads/1/3/5/3/135315120/e961533d9.pdf
- http://xupenirulavep.iblogger.org/social_learning_theory_definition_quizlet.pdf
- https://luretazolikaxu.weebly.com/uploads/1/3/4/5/134587875/masorebuw-faruva-dipilefovik.pdf
- https://bolowotusupiwam.weebly.com/uploads/1/3/5/3/135300352/zagafatunonefu_rasoxagupuwokor_vujolozikimif_texugoz.pdf
- https://nisozamiroxub.weebly.com/uploads/1/3/0/9/130969329/wuvejem.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://wasokutuv.epizy.com/chicken_invaders_ocean_of_games.pdf
- http://buzanuziti.myartsonline.com/what_are_the_responsibilities_of_database_manager.pdf
- http://nuzuxomobepofe.rf.gd/pojotulit.pdf
- http://ketanuviz.epizy.com/bouncing_ball_experiment_worksheet.pdf
- https://s3.amazonaws.com/donake/remixepifudosolasisez.pdf
- http://vepuguda.rf.gd/5853448720.pdf
- http://budokukikaririd.rf.gd/19971409550.pdf
- https://s3.amazonaws.com/rojalexipokadaz/free_responsive_css_template_for_education.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000100e6.bin` `596be7c8bccdf7ea2885283aba42760b7936136dd5397f4933aeb5c54bb2e90f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x100E6	5684 bytes
`font_01_sfnt_off00011395.bin` `24ecd54bf5f31e1b0d545587ad3a35f6e773eec63c3b02b6928263870ff21956`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11395	13052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.