PDF malware analysis — malicious · 623bb54346c635e3

MALICIOUS

PDF

74.3 KB Created: 2021-06-09 09:29:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07

MD5: 54a16d82af9ae07bef4fce6d07b8cb11 SHA-1: 38330f9f3a79d5bace24f04908a4bb2ea6cdb8c4 SHA-256: 623bb54346c635e34f4d87c3f52de169262a68b051937ff812821769f9300ff6

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a URL that mimics a download link for cracked software, indicated by the heuristic 'PDF_URI' and the URL itself. The ML classifier and ClamAV detection strongly suggest malicious intent, likely phishing or malware distribution. No scripts were extracted, but the presence of a malicious URL and the document's deceptive content point to a social engineering attack.

Machine Learning

Nyx PDF Classifier malicious score 0.9992

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://philabc.ru/pbw?utm_term=free+download+autocad+2007+full+version+software+with+crack PDF link annotation
- https://cdn-cms.f-static.net/uploads/4465949/normal_605f8fffeffd0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4449603/normal_60630828d2aab.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4382621/normal_6021cc004318e.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4467038/normal_5feb380234187.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4407314/normal_5fe2856a2fc34.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4417129/normal_6062fa14d5d1a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4490752/normal_6037ae58cc2ba.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4469143/normal_5ff9b7afdbc17.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/6a8be85c-feff-4279-a9d7-c1bfa9ef94c1/road_trip_pays_basque_france_espagne.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/679c3218-81f8-48c3-ad4a-f0b3c8301c5e/fixopobodegolenixajab.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aa4df098-0dbd-43e9-80f8-068a8108b4be/flvs_economics_module_6_exam_answers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/157920a8-901c-4b62-a490-6574d6c8e1ef/potassium_perchlorate_acid_or_base.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0160979d-0651-46c9-8fac-0364e752c5c4/the_taming_of_ofthe_shrew_act_1_scene_1_study_guide_answers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/459d7fda-0fd8-422c-8732-f60791c31213/vovokorewo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8c1bc43b-6a2b-4230-ab38-2077178e2597/cloud_native_application_reference_architecture.pdfIn PDF document text
- http://wukexav.pbworks.com/w/file/fetch/144838797/30706532236.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d7b3473b-1a36-4082-bb56-f1e766a59807/kutem.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7b0872df-729b-4d13-a871-791b69f23bec/how_much_can_a_2015_toyota_camry_tow.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4e5b0710-2a64-4ae3-9a9c-793e210305df/32872456639.pdfIn PDF document text
- http://garewewaziwu.pbworks.com/w/file/fetch/144551847/powuwaxopujekegot.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/72ee5fcd-05db-4376-b059-f0682aacebec/19224806988.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/862a6130-28d6-4fbc-b21c-51e2f72bdb1c/59577821335.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7983d3e9-0b43-4308-a85f-2e465f45713d/37256080320.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e2a4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE2A4	5636 bytes
SHA-256: `0f6d6cfa50ddca2044f11810c8f9a79b6883f4a698577df0e290e9134e2c26a3`
`font_01_sfnt_off0000f5e7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF5E7	10928 bytes
SHA-256: `370df3e7d5b4c3aaa92acdb0c37584983109e3698694d3a03cab9cdeb1cebb24`

Open this report in the interactive analyzer, or submit your own file for analysis.