PDF malware analysis — malicious · 531ce12d08f96fa4

MALICIOUS

PDF

76.1 KB Created: 2021-05-30 02:17:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24

MD5: f54aecdf62e92aae0781be1982fb604b SHA-1: 5a25c3364f53a628a3753180f08cb233cec424f2 SHA-256: 531ce12d08f96fa4815d469bb7e617434f75b8bb556e8104f12bc7078b2e549a

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://golowaki.ru/123?utm_term=2020+calendar+template+for+indesign PDF link annotation
- https://static.s123-cdn-static-d.com/uploads/4370280/normal_60b21bc6f001c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4453528/normal_603813d95509a.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4365657/normal_5fe1c241e352d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4444110/normal_5fd679f3cd5bf.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4372358/normal_604870797e9af.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4428335/normal_60037bdead2c4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4491414/normal_60633e28b0686.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4407331/normal_60325a0a7cd32.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/7498e243-0af8-4aba-bd1b-0b26e8296429/line_6_bogner_spider_valve_112_schematic.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/60cecc4c-474b-447c-80e3-c3fe6498408e/xuxezelajelad.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6b4219eb-19d9-481a-9920-8e84213de1e1/what_are_the_8_systems_of_the_body.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d4075f4f-76d8-4268-8255-62609cf72021/lonomusonumibepita.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1b79182c-2947-4ea5-91c6-f42e2646eb49/how_to_remove_battery_from_panasonic_toughbook_cf-52.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/00c449e7-ecca-4663-95e2-30284433eb56/6982705277.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aa15b46d-c53c-4530-ad65-e6b800eca7ed/how_to_clean_a_mantel_clock.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f8c247d6-4984-4524-a406-7d4356c4456e/robert_monroe_institute.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4f663c25-cb0d-4bd1-ad01-a4bbceecd747/principles_of_polymer_systems_sixth_edition_solution_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b43b7dbe-f5ee-4809-901b-4cc393e468b9/25954670687.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e6a67166-59a9-46c6-9c08-8e75955f9281/how_to_install_glacier_bay_bathroom_sink_faucet.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/643a0996-68d2-4d3f-92bc-7b43539b0778/45660387870.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0fe7bdb2-f3c9-41d0-9f78-8243d35a6112/91298912977.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0fe342cd-0423-4f9d-b614-69592d5b5bba/loluk.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9b870b9b-c655-4a84-a928-d7de9cffc286/pixuxuzowuban.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ec23.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEC23	5652 bytes
SHA-256: `46fd7ff6acdc3aabb771bd56cf8d4d71b7b6e61f9c5f74e15abba8c666741527`
`font_01_sfnt_off0000ff40.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFF40	10420 bytes
SHA-256: `666a313ec5b88757bd97d7c5ff3e2283c70f92b52602bf57a9620c0b73838a5f`

Open this report in the interactive analyzer, or submit your own file for analysis.