PDF malware analysis — malicious · 55c0f4c00a95f8d5

MALICIOUS

PDF

82.7 KB Created: 2021-06-10 05:28:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27

MD5: 1c043882dfdfd9f4b4514863b8035ee4 SHA-1: 28859e886f1f84a97ddb732177aba773b4f7766a SHA-256: 55c0f4c00a95f8d5cf88fdf7e201ff13d6c78459de5eca0ef3d2ecf032883638

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. The embedded URL `https://ketchas.ru/pbw?utm_term=kendrick+lamar+to+pimp+a+butterfly+free+mp3+download` suggests a lure for downloading music, which is a common phishing tactic. No scripts were extracted, but the presence of external URIs and the overall detection profile indicate a phishing attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ketchas.ru/pbw?utm_term=kendrick+lamar+to+pimp+a+butterfly+free+mp3+download PDF link annotation
- https://cdn-cms.f-static.net/uploads/4388611/normal_604d7c74f219b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4378382/normal_6051b4c25ed8e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4459175/normal_606ad7d7284a9.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4409420/normal_5ffd1e3e6c09c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4421036/normal_6058a0bf7e4f8.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4487382/normal_5fdf62853c132.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4488336/normal_6028699851c11.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4445125/normal_5fcdb2c690556.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4481162/normal_604b3f1704f93.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4420906/normal_60b762452cf57.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- http://kesowununak.pbworks.com/f/how_to_find_the_critical_f_value_in_excel.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e59721ab-ff57-4cc3-b168-6e2c50ea8aa4/what_causes_inflammation_of_the_piriformis_muscle.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b462ede0-dd8d-4660-8da2-117f47cd4f75/how_to_connect_logitech_z506_speakers_to_pc.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/90031c51-4dae-47bf-b8ed-a2fa298d0a49/31635221451.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c4ba9557-d494-4b42-b9dd-40e9289bc121/74325792107.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7ef53de4-d712-4dea-8d5c-456fb9eebd02/maxulexe.pdfIn PDF document text
- http://kiletejude.pbworks.com/w/file/fetch/144425679/firurugejalim.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c21c4d17-096f-4bd8-a431-f5a2886cfd7c/junior_graphic_designer_jobs_chicago.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/02418a64-43bc-4b4f-8845-23746d51d586/what_is_on_the_royal_standard.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/81760d14-507d-464e-828f-f16307663306/el_libro_tica_para_amador_de_fernando_savater.pdfIn PDF document text
- http://sodopateduke.pbworks.com/f/liril.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/88cb2951-8ca4-4736-93f8-2016742bb6b8/quant_job_interview_questions_and_answers_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0585c383-db7a-4579-8e4b-6c65560fea1a/mugetoxesumurikova.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f191.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF191	5536 bytes
SHA-256: `98f55dfbdb6d47978f666a9737f08d4b2184a27bad0be26f7f98ec0c27bc675e`
`font_01_sfnt_off00010450.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10450	13596 bytes
SHA-256: `1c1b57c10b7652379e74a3d42d087c9dc8ba5e109c60cfeea02e0af408bd9c77`
`font_02_sfnt_off00012e7d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12E7D	4324 bytes
SHA-256: `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`

Open this report in the interactive analyzer, or submit your own file for analysis.