PDF malware analysis — malicious · 6eec21970c9acc6a

MALICIOUS

PDF

76.4 KB Created: 2020-12-15 05:22:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6d10cb8cf4ec7041800bd83502045b27 SHA-1: ee4f44090e675672b8b813587efb563231608c25 SHA-256: 6eec21970c9acc6ad626cdb7425249183f102a86d55a23755471b7ca40763a39

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by a ClamAV detection and an ML classifier, indicating a high likelihood of malicious intent. The presence of an external URI pointing to a suspicious domain, combined with the document's presentation as a service manual, suggests a phishing or malware distribution lure. Although no scripts were explicitly extracted, the PDF format can embed JavaScript, which is often used to facilitate malicious actions like downloading further payloads.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafffe.ru/123?utm_term=lexmark+e232+service+manual
- https://diziwupufetut.weebly.com/uploads/1/3/4/4/134477772/4401013.pdf
- https://cdn-cms.f-static.net/uploads/4498842/normal_5fb81508620f6.pdf
- https://rosanibo.weebly.com/uploads/1/3/4/8/134873488/xufurimute-wigovibik-wanerawuziwomog-pudexabawobovo.pdf
- https://jezitazosebizag.weebly.com/uploads/1/3/4/7/134700096/taxadifupesafutom.pdf
- https://cdn-cms.f-static.net/uploads/4387562/normal_5fb4b192e349b.pdf
- https://cdn-cms.f-static.net/uploads/4414169/normal_5fbb51718c1a1.pdf
- https://rovatelafewi.weebly.com/uploads/1/3/4/3/134392743/petenulefadito_jegina.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/buponuwebi/windows_10_driver_for_hp_officejet_pro_6968.pdf
- https://s3.amazonaws.com/gazivemon/biwekigijutag.pdf
- https://s3.amazonaws.com/wetevali/gidisewezowop.pdf
- https://s3.amazonaws.com/tizowodifi/37345301970.pdf
- https://s3.amazonaws.com/mefadedosuw/eng1_medical_certificate_form.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e3f4.bin` `5f7ded07ea3602f0924bdae39dfaa821cedbccaf61dbcda79d77001ff9da3c31`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE3F4	5372 bytes
`font_01_sfnt_off0000f62b.bin` `7585ea263064cefce43c9d15a4a908a12fff14130f87a17828f995a274c4ee8c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF62B	2012 bytes
`font_02_sfnt_off0000ffc9.bin` `e483f7130108c381162d31c40090d425f28ad36246aed799eea728ff0fc4bb76`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFFC9	10756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.