PDF malware analysis — malicious · 667ef688512387bf

MALICIOUS

PDF

257.0 KB Created: 2021-05-29 15:40:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25

MD5: 6e10b3e4fcb54be341074433c8eb895e SHA-1: a87d1e6498748f455530c50b460c044073eae8e3 SHA-256: 667ef688512387bf2eedd5e45eb42ef1650b93c382e363f8ba115815b64f7a93

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a phishing site disguised as a free English class advertisement. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for credential harvesting or malware distribution. No scripts were extracted, but the presence of the malicious URL is a primary indicator of compromise.

Machine Learning

Nyx PDF Classifier malicious score 0.9790

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://bologen.ru/strik?utm_term=clases+de+ingles+gratis+en+new+york+2018 PDF link annotation
- https://static.s123-cdn-static.com/uploads/4465687/normal_5ff19ccc7665a.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4407084/normal_60b0aa40e38f7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4498883/normal_5fe6a1ca0f08d.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4485704/normal_5ff1cc1b53a03.pdfIn PDF document text
- https://xemubafuwifo.weebly.com/uploads/1/3/4/4/134475424/062e9000.pdfIn PDF document text
- https://boxotajisosuni.weebly.com/uploads/1/3/6/0/136086252/dec602b.pdfIn PDF document text
- https://kalozepi.weebly.com/uploads/1/3/0/8/130814360/71ba99ac1c60b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4470523/normal_5fdd5ab4696a4.pdfIn PDF document text
- https://gomamatugapisum.weebly.com/uploads/1/3/4/3/134392688/kosej_batutale_zudasegow.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4413474/normal_5fe47e1f11c65.pdfIn PDF document text
- https://topuzuxet.weebly.com/uploads/1/3/0/7/130739133/fisumobozisakawer.pdfIn PDF document text
- https://womonejod.weebly.com/uploads/1/3/2/6/132681039/fd6917c2ac.pdfIn PDF document text
- https://kiledakod.weebly.com/uploads/1/3/5/3/135385809/getexisu.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4390052/normal_606d956e934c3.pdfIn PDF document text
- https://menedusuwoguv.weebly.com/uploads/1/3/4/6/134699995/d2c98f2ee130f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4426675/normal_606e7d5fe2878.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/fc9d7485-f8d4-40a2-a385-f4064a30199d/snaptube_vip_hack_apk_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e968b541-2495-44d1-95a5-afe21573e5ce/why_does_my_blood_pressure_monitor_show_error.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/79f88e40-0e28-4f65-add2-ae93bff112ad/72453532986.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0f415fe8-037e-4b2c-9fe4-2e0b2c00d061/bukozaxiv.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e3d5c901-6582-441f-88c5-042ffb4144fb/72198170666.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8bc5a1b5-e3b6-4564-bf46-163de14118c5/23629093290.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f872bdf3-9a5f-48c2-aae5-c649ba5be1aa/1997_sea_ray_sundancer_270_weight.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00038fd9.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x38FD9	4112 bytes
SHA-256: `b99dc1bee8eb45403472487adbda37e1160fc20b4cf4fdd91a38651592442ea1`
`font_01_sfnt_off00039e31.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x39E31	5580 bytes
SHA-256: `1c931788ee4cd5c515aa294baa059d1a89f67b56b362cd1a5c46a80c9890a582`
`font_02_sfnt_off0003b156.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3B156	16404 bytes
SHA-256: `078a5816e1a323a37be25134eb25f980880e67cde2941ab7e5a9bae8cfa1be94`
`font_03_sfnt_off0003e50e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3E50E	4324 bytes
SHA-256: `a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f`

Open this report in the interactive analyzer, or submit your own file for analysis.