PDF malware analysis — malicious · 511011531590e3d5

MALICIOUS

PDF

74.3 KB Created: 2021-06-03 03:22:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21

MD5: 97b907c7eb94d5305465297ece830da2 SHA-1: 78fe57f1d33ae4fbf962f01e4e1977d672df8ecc SHA-256: 511011531590e3d5f885741c490f8190763b0dfa8e2d946dd17b264bbff65d60

146 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

This PDF file contains an embedded JavaScript payload, as indicated by the PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic and the presence of a script stream. The script likely serves to download and execute a second-stage payload from one of the embedded URLs, a common technique for distributing malware. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cructi.ru/pbw?utm_term=toshiba+ct-90326+fernbedienung+bedienungsanleitung PDF link annotation
- https://cdn-cms.f-static.net/uploads/4383797/normal_60557e15475e4.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4391326/normal_5fe4c76cb7af7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4481828/normal_600c119332f06.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4482636/normal_6054edb08ac8b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4412899/normal_605be4b92be24.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4483867/normal_60171ecb26475.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4453729/normal_5fecfd86c7877.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383582/normal_60522e486a0df.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://xoxafepapesu.pbworks.com/f/20571642886.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/28db8eeb-bb61-4742-a734-1c2c9c62285b/tivibexatava.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3fc75915-02c8-4e04-870c-a04266517dcd/what_can_cause_a_thermostat_to_go_blank.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/800a9fd4-8009-444f-b1fb-995b1ddbcce3/45888660932.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/abb9a9d2-d138-479a-bce2-9405575c3add/the_appraisal_journal.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8282fd86-cd7d-4389-ac24-3a6d272c531e/mirapomigujiloniwuf.pdfIn PDF document text
- http://noxiwako.pbworks.com/f/jusanawupefiwobutufa.pdfIn PDF document text
- http://ruwomodanom.pbworks.com/w/file/fetch/144445449/que_esperar_cuando_se_esta_esperando_pelicula_completa_espaol_latino.pdfIn PDF document text
- http://dajodovilav.pbworks.com/w/file/fetch/144532080/how_to_write_a_letter_of_permission_to_be_absent_from_work.pdfIn PDF document text
- http://pamotekegopa.pbworks.com/w/file/fetch/144447564/ielts_reading_test_practice.pdfIn PDF document text
- http://nubuzefi.pbworks.com/w/file/fetch/144532593/present_perfect_spanish_practice_worksheets.pdfIn PDF document text
- http://jesababa.pbworks.com/w/file/fetch/144413904/how_to_cancel_google_play_refund.pdfIn PDF document text
- http://ropotupi.pbworks.com/f/driving_license_test_questions.pdfIn PDF document text
- http://paditoxef.pbworks.com/f/pasisido.pdfIn PDF document text
- http://detomipipu.pbworks.com/f/test_answers_ashworth_college_electrician_reviews.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_0001216d.bin`	pdf-embedded-script	PDF decompressed stream script payload at offset 0x1216D	76065 bytes
SHA-256: `c8eedbe1175b3559b0ed0ec6877c6109506fa92d3589177503f107fc992889fc`
Preview script First 1,000 lines of the extracted script %PDF-1.4 1 0 obj << /Title (�� T o s h i b a c t - 9 0 3 2 6 f e r n b e d i e n u n g b e d i e n u n g s a n l e i t u n g) /Creator (�� w k h t m l t o p d f 0 . 1 2 . 5) /Producer (�� Q t 4 . 8 . 7) /CreationDate (D:20210603032210+03'00') >> endobj 3 0 obj << /Type /ExtGState /SA true /SM 0.02 /ca 1.0 /CA 1.0 /AIS false /SMask /None>> endobj 4 0 obj [/Pattern /DeviceRGB] endobj 7 0 obj << /Type /XObject /Subtype /Image /Width 625 /Height 155 /BitsPerComponent 8 /ColorSpace /DeviceRGB /Length 8 0 R /Filter /DCTDecode >> stream �� JFIF K K �� C �� C �� q " �� } !1A Qa "q 2�� #B�� R��$3br� %&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz�� w !1 AQ aq "2� B�� #3R� br� $4�%� &'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz�� ? ��#iK�j�}�y q�h��C� (#��I��V_�� X�8�@ \ːz \|�v�� [ � 0�9�_�}8�]2 K�\�e��?O�N�̔�ۯ�~� ��E�sêP 8 �K7�%� �� xx ɧ)��5ă�� {�ҺV��m��'@ ��I �� >b�`�� z� �^��Ĵ\��s � ò��O<�� 8�� H� �:��۵�?}&r= ��+�M�w6J��;�9 9�8?�J�o88 �~3�� ZO��7�� \| ��ɏ�� \|�q��zw�7�O [ǅ��C Uf�� p��#��}k�X >dU ��>� �Ҁ~��NF�9'� ��~�f�� l]>L��>�( ��܎��/�/ )L��q� �+��$n#9�t� ��mw ��{g�8�8(0`嗃��<��iY �)=?��X��Ng�� w��j7�=�ˈ�>� $c�g�� u α��{8�Q׭/� �� S�>��=��2��s��/�K� �?i��uG �/ y��M��3�rz�� g`�P �� =�D��(A I� 3�9��BA)�� #�_�> 7i� �q) ��} :d \|1l� ��]�C�� j�9PK"�P~l�� 7� ?�B�17H�1Ԏx �؎}��ҝ��{�[ _��r��{Ïl �w� ��7'<��#�#��~��jw/F�� ?J�#@w InG � � ��<��?31 �'�\t M � d�� L��/ +�=� ��L c�}{��ia�E��bVŐ��2��WDq d6P�� z� G EP :v�� )Xjm;��\|"� % N�}g��';��6o�^ ��c��f� ��s��OO��t� T�,I� �� x�L��(�X g '�y�ۜP� �+i��!��.E�#rN �P �Æ��@) �� a��pVy =�� )�v�ۨ �� Σ� ��n�� 9I> xx� �[#2 �Ryr�OA� �ԍ��Ò� ��P�,� �� Z�� c�T�i^��#��$��c�� b"��s'�� R� �'�� {��c � �8� � !]��ħ= �� _�C 7S�ON� ;��˴��9� ?��B� �FsQ\| �� \|�j�e�%$z` �_�S��W�%R ��p<�p�_��j�M�DU �W ��8�� h ��e�'�n�;=XG�>��#��D�WLrW��a�y ��Ӣ�7ᠤ%��s��[#9�,g� �]4��~`s�/R=3�� q��!f�z�ӯ_J}4%YO_��s#�� YT ?sgo�\|J0N} K��ÎP%� Q� �C�9��qۜ�L $��@RW��v\|�al ��9��5{[��R �� &��L �z~ ԭ��A%<�0JA��. �e�c�鎕ӔT�U��3�x� l��K�u d�?Jm�"˖�9��T (�4�� q׏��Ҙ� �>��==VI p�I� ��N��s�� u�� G6N� � 9 � � �\|�ڀz��7M?��[� �d d� �� z }�x �֖ �~ `�t�Xm 7 ��G��t�� ۧA��8�c# �lp �z �u�v�ߩϏ�� K 90� �H��>n��~ �tȸ�� o�n% �}[��N�� e�'w>� � ӌR� � d� < �t�֒F��}v�� <� �s! �[� =8�� {���9 d e��>�ר�];1[�\`��>�zt��Q�B �g;� =8��3J�z� Z _�̯�� cL� ⸔c�`��4M�w�.��%�\ }�Q� ޮ��0�Dh��2d}�r�� ;t#�K#f< w7�A�<r?� =ƚqh��熕�N��6%�q��{ ,? \|;+�� #� ̠��~l�� t��&�̣ '�� z�ǭ#�v>� �� : ��Qqz=?��~ �r �l �' 7r�ϯ,z��[� {�J��;� h� �� K ��8=��}9�� ;�K�g� ��A׵>� �� C�_�~ ��U�n�n$��=�� O&G >� �j��6�S�I��; c�_ʇ�� Q��YY[ �C�c��"�� C�� _;Ngh� Y�\��?� �� ðn Mb8�\ˑ��!��H� �� N1��5>�r�0�A� �sCC��~}��N^o�� u72� �7 (�� !Mͦ��2ٹ��I��Ұ/) }��{� /֚�ĨY ��S� �� R�� s�� 9C�3�F8 �� (�� m:ho,�U \|÷� 1��]J.b� H$�O��b��!7a� � ϊE;��9s�o�fO� �1R 3I��K'� D�n��eg��>��{�ϭt�ؓ�8��8�ӟ�ґX��i%��?��K�o�� ͷ�/ 2&t� B��g�>n�?� ��y�� l��>�+�e @�FpO?�Қ�#�Z Cdd�c �� ȥa�>��$�C�s�5J�9��( �G ��"��6,J ��T � Q��r+��RWr�� F s��R�"Ȯ0B�� c#�s��>ߍ6�NZ��9��T� � =�~ �q) �A�� .~ h ��t�� ny�lzt`O�]$�Uܥ� ��A� <g� ��c D��p � � � [��_o��s� �� G4��Cd�)�Q�� ,_ <<[si��Ps��ޢ�b ܜ+nʕ;��ޚ�\|��8 �3�s�9��qHw��\\| ��b � ��}�U ��s�̟ \|= �K ,�<�N܎�݌�u�� *Y� z �8� $�� ' �~�� ^�� ;� .%=@ �� <9#d� RrwM(� ٹ >�خ��NB�6 �� ^��Mh�Ʃ�qS��y��hA'fr��wä��<G (��&��GZ�� y �}�� =@��U�A99 O#��z � {� %� � �<��> ��_��/#� �� L�� ϔ 0 r�� ... (truncated)
`font_00_sfnt_off0000dfe6.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDFE6	6152 bytes
SHA-256: `2553a41ad18176ea2ebd01150ddffe568f3dd5ee6c99165fccaeac338da8f44d`
`font_01_sfnt_off0000f4c0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF4C0	11948 bytes
SHA-256: `c69da9dee8f7bdaf7450f8536b666911e0741a5e559c294f23ff97f980b53ddf`

Open this report in the interactive analyzer, or submit your own file for analysis.