Malicious PDF — malware analysis report

Static analysis result for SHA-256 38eca1accfc5702c…

MALICIOUS

PDF

82.7 KB Created: 2021-04-27 11:52:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: 50b014048f3fc62d00b629625393e368 SHA-1: deb8f9105ee9151a01cc9fa5204008212778746f SHA-256: 38eca1accfc5702c3b1c339a7a0ec7a0dacf48c004b2c03e0af22b967a0fa6b6
96 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=what+is+a+social+research+design PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4380545/normal_60485d5623e84.pdfIn PDF document text
    • https://bisobozewex.weebly.com/uploads/1/3/0/9/130969373/kododigukexib.pdfIn PDF document text
    • https://vijizonumek.weebly.com/uploads/1/3/6/0/136034009/e1480c5b37.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387427/normal_605e028700396.pdfIn PDF document text
    • https://cdn.sqhk.co/nejijilo/biijeij/star_wars_retro_collection_2020_pre_order.pdfIn PDF document text
    • https://cdn.sqhk.co/nimotixalulo/iasihgi/nokedi.pdfIn PDF document text
    • https://cdn.sqhk.co/vefusujix/iheWshd/minecraft_pocket_edition_mod.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4453553/normal_5fe9b0decbf43.pdfIn PDF document text
    • https://xododasewa.weebly.com/uploads/1/3/4/6/134600374/e02b5cf3e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385410/normal_5fdc12f55e938.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381980/normal_602f140639891.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/kefefetafij/biblia_reina_valera_plenitud.pdfIn PDF document text
    • https://bdee3e82-1fe6-4084-b289-f15f5249f83e.filesusr.com/ugd/749937_20028bf1c6ec49ff89a8fbc4b21757bf.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/werowibovezoje/maroxepakubigagikuzi.pdfIn PDF document text
    • http://zolibexusago.epizy.com/burger_king_menu_prices_2_for_5.pdfIn PDF document text
    • http://vopepogam.rf.gd/boulevard_nights_full_movie.pdfIn PDF document text
    • https://b64dd490-e5b9-492f-89ff-e398ecee904c.filesusr.com/ugd/5926b4_d2af797c35344f16b184d62bfd7119e3.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/fodose/nemukox.pdfIn PDF document text
    • https://5071cc05-3fa2-46b1-b944-d2523ca4b51d.filesusr.com/ugd/62e2c1_494fd9e621d144038bbdd24d736389a2.pdf?index=trueIn PDF document text
    • https://63a0a607-6d1b-4b95-a813-f1b07cabc719.filesusr.com/ugd/ad56f2_22e2eb505c054b0ebc951a96e757728d.pdf?index=trueIn PDF document text
    • http://faxumev.epizy.com/bu_admission_circular_2020_20.pdfIn PDF document text
    • https://s3.amazonaws.com/palikuvexake/cobra_29_ltd_classic_modulation_limiter.pdfIn PDF document text
    • http://kepetexune.rf.gd/basis_of_vector_space_examples.pdfIn PDF document text
    • https://s3.amazonaws.com/timeziso/que_significa_la_letra_v_en_las_llantas.pdfIn PDF document text
    • https://6d706a39-1f93-4f1a-9423-caccf7e65e71.filesusr.com/ugd/69f91f_94df307bfeb340ddadedde16f6e580b6.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010799.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10799 5216 bytes
SHA-256: 760745627cfa1c1200d3d16955ce4b0aa4ed4e23664c208d625991c10b464230
font_01_sfnt_off00011959.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11959 10620 bytes
SHA-256: c804f29439365f73a5a5e85e2ae1e84e4a3042dd922d438e1ca8292a77ab2d7d

Open this report in the interactive analyzer, or submit your own file for analysis.