Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e2857a923cbd165…

MALICIOUS

PDF

82.4 KB Created: 2021-06-08 14:01:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: 31878b3160b1ade601299b8bdcb964e9 SHA-1: 21c83cb82b935e42f13865cefa53ba3c99235ccc SHA-256: 4e2857a923cbd1659568af923b18c228209679ba9723f057af658c8fd90c8ba5
96 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/pbw?utm_term=ejercicios+resueltos+de+distribucion+binomial+bernoulli PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4490365/normal_602c678a2dc5c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4462038/normal_5fec01907edcf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367938/normal_6059ead8bce8c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368479/normal_601348dc59d5f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370270/normal_6047c7e93f540.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379720/normal_606ea6982d6a8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4500189/normal_602e6cfe9836c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4445324/normal_5ffa5124042a0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366063/normal_60b8f1f9f2563.pdfIn PDF document text
    • https://static.s123-cdn-static-d.com/uploads/4489609/normal_60b24d032d587.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4499283/normal_60b90d007303f.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/48fcde04-24c2-4690-9938-0da4e7aaf58c/beginner_functional_fitness_workouts.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d090c44b-d883-4e87-a597-fab6b2a72487/gekazisemogis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f6d2d463-4de2-414d-9b85-377c5449577d/the_impossible_quiz_3_for_school_unblocked.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9627fca3-4a5d-4158-ba22-28c1b13a1128/29318845282.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d6e6d0a8-b2d5-4d19-b10e-324ef4b508aa/wusukitozuwofadogifu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3acd29b9-c78c-4672-ab9c-a53ec3012dce/data_structures_and_algorithms_in_python_tutorialspoint.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/428be5bc-9c7d-4c95-90b5-ba2dda594292/nvidia_gtx_970_vs_radeon_rx_5700.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9d987f8c-b007-4db3-800d-3bab372b9bf7/tigupeparupu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/78fc0a29-2ea9-4ee4-bd4e-edfc8cf75dbf/nopaxogel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f3266559-6751-4507-80fd-fc59356da180/nijizalo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/46621f79-9810-4d04-b73d-c2ef2c7f3ce1/12057844367.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e92a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE92A 5256 bytes
SHA-256: fe60acc54de98f8d53d3d7f574d936912675dd7a37e79e266454ee6352a3d4b0
font_01_sfnt_off0000faef.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFAEF 12660 bytes
SHA-256: 081777e208f1ecc91be4e0be88f64e53f5044718fe3833c5a7e0adbad51f6d71
font_02_sfnt_off0001249d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1249D 16096 bytes
SHA-256: 3a87a2a80cb0740ff7ad33dbd9b35031d90241dfccc5ab96a3d2c3133af9c3ca

Open this report in the interactive analyzer, or submit your own file for analysis.