Malicious PDF — malware analysis report

Static analysis result for SHA-256 62d67040ac21199c…

MALICIOUS

PDF

541.9 KB Created: 2021-03-14 08:30:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 543694dc1a3aa0b5b70f360b4a65fb15 SHA-1: 5b51a649ee219f96b5094164ddc892fff2957908 SHA-256: 62d67040ac21199caa5f2cc95dfe11e1a7cd6c53a11baf71daa1dcf44ae95aa8
74 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, suggesting a phishing or malware distribution attempt. The ClamAV detection 'Pdf.Phishing.Trojan' further supports this, indicating the file is likely used to deliver malicious content or phish for credentials. The presence of an AcroForm button with an action trigger could be used to initiate the redirection to the malicious URL.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3647

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=process+dynamics+and+control+4th+edition+pdf PDF link annotation
    • http://kezusese.iblogger.org/explain_how_energy_and_matter_flow_through_ecosystems_differently.pdfIn PDF document text
    • http://tk-pobeda.site/lavuvinekagelurz03.pdfIn PDF document text
    • https://cdn.sqhk.co/potiribuwuf/icgcled/the_longest_game_ever_2_level_454.pdfIn PDF document text
    • http://vasazuruxu.iblogger.org/cabinet_vision_11.pdfIn PDF document text
    • http://4escam-bot.online/mosogokajijisebedogupazijodu5u.pdfIn PDF document text
    • http://jigatinapa.22web.org/lirogupelenok.pdfIn PDF document text
    • https://cdn.sqhk.co/dibirolinu/hdirVjc/idle_blacksmith_hacked.pdfIn PDF document text
    • https://cdn.sqhk.co/mudonisogub/Dheial4/jaden.pdfIn PDF document text
    • http://tuxesimufimiti.mypressonline.com/cnb_magisterio_de_educacin_infantil_bilinge_intercultural_-_completo.pdfIn PDF document text
    • http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.thdl.org/http://www.thdl.org/TibetanIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/6be10dbd-50bc-44e2-9b63-59cef37aaed8/tesla_model_3_standard_range_plus_options.pdfIn PDF document text
    • https://f6180879-d31b-499c-8e42-fead7842c491.filesusr.com/ugd/007227_f5c5bf585bca4ae9a292f7ac2af38504.pdf?index=trueIn PDF document text
    • https://8964868a-aef6-4da0-9a9b-29de7c28e0c5.filesusr.com/ugd/b910ae_95ddf98266d145ad9be1681301f3c952.pdf?index=trueIn PDF document text
    • https://3745348a-78a0-42d7-8ff4-af2b45bf5faf.filesusr.com/ugd/02631b_5233bae59a524757b4bee2b1e9480c58.pdf?index=trueIn PDF document text
    • https://cad90261-f038-4e8a-b384-2e0e37e6cb8c.filesusr.com/ugd/4c4e45_2668cbc3f49b4d0dae86258a5e44e58a.pdf?index=trueIn PDF document text
    • http://kepofif.onlinewebshop.net/jill_poole_textbook_on_contract_law.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8c632793-8766-4d12-a184-4ec233e831ad/when_was_my_remington_model_11_made.pdfIn PDF document text
    • https://6d8b2927-5c4d-40df-b593-c6bd35e19528.filesusr.com/ugd/1adac8_66f6a7e98f0948f3b188baeb576e6f99.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/b831819d-12f4-47d2-8526-06aab6b2aacf/how_to_wind_automatic_watch_tag_heuer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bc0b2d1a-5e1c-4014-908b-dc9814f73b59/sawoxarugokofek.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlTibetanIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00076e02.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x76E02 12516 bytes
SHA-256: 33f84e8ed8fa373393b77a654699e2269ac739576bb629ccbb8479954a5b98e3
font_01_sfnt_off0007909e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7909E 22552 bytes
SHA-256: 40a8dcfc4aeb273a9594217ab8990d1aaa329e89ee7a8f9ff28986023f882e24
font_02_sfnt_off0007caab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7CAAB 2912 bytes
SHA-256: b3177c8de935bf2e05ba58035bb430970af2c83108b60a2dfb12b0772094c699
font_03_sfnt_off0007d507.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7D507 5376 bytes
SHA-256: 6fecfc8030726d189526c20b3be375d97aa77082a2d8ca4fc410e3caa133bac1
font_04_sfnt_off0007e72a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7E72A 8976 bytes
SHA-256: 2df30c64b97ccb2843abf29c5a8ff3ba720237445e9a583b0b2f07585fdb381c
font_05_sfnt_off0007f8f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7F8F3 2472 bytes
SHA-256: 0a7f4f147df175c406e4e23c22e9f759932ffb2a0dbe988c4e4906cc2b60fc04
font_06_sfnt_off00080341.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x80341 17120 bytes
SHA-256: c4ab824750dad369d91955d7e135183a9c4628c64587b0a7b32c35295dc1ab41
font_07_sfnt_off00083cc0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x83CC0 16828 bytes
SHA-256: 5dd3bc2139c04d3db0972fc0de64ff13fc723744d6e5a5648787a1d9304de7e7
font_08_sfnt_off00085493.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x85493 4324 bytes
SHA-256: 1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361

Open this report in the interactive analyzer, or submit your own file for analysis.