Malicious PDF — malware analysis report

Static analysis result for SHA-256 71e8f377a716e2fe…

MALICIOUS

PDF

95.9 KB Created: 2021-06-05 13:20:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: a3f3430286d719092f2452f382363244 SHA-1: dee4978c2d69f6ae4d5ae5e426a57b3d8642f3a3 SHA-256: 71e8f377a716e2feb035babff9848bbc32c04b670c4523b0ff5023f4d36e970f
96 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9797

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/pbw?utm_term=easy+auto+clicker+2.0+ipad PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4469370/normal_602283de9e49e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4500440/normal_606ad9dd39acd.pdfIn PDF document text
    • https://static.s123-cdn-static-d.com/uploads/4427528/normal_60aff5da7e4ab.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4495846/normal_600214bac9db6.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4384831/normal_5fe3e115b7367.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/2bd238e2-6fa8-4bcb-b151-e3b7fb9c1145/que_significa_derecho_romano_en_ingles.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1d1fc4ee-0a60-4b8b-9b5b-c34e52ef97b7/momometapadokigezaw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1a8b2978-6d3a-4236-a049-3826ed06c734/does_nordictrack_have_military_discount.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/38746b5a-acd4-4312-897c-e3b8e966e0ca/61997723564.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/21e2d1c1-7d5f-4880-b462-983899bb72a6/great_dane_pitbull_mix_size.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fa7dcd83-295b-4fed-8143-4cceaf0c0efc/25871483027.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/70ce09f4-95b2-416c-a8cb-5f8a3eeba4b1/67733959725.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/597d597a-4e0b-4c65-a939-64966fb48813/wojutenajujesezupowe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f9307815-416e-488f-8d7f-203bcf9ef687/healing_the_gerson_way.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/423f2454-9722-4690-a5a0-c097c858270c/principios_basicos_de_la_economia_ambiental.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/637964c3-d50e-4f09-807a-c2c3537e4cd0/64976676762.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/66a8d4d9-f3c8-44c1-87b5-4e2f859eee9a/23652962624.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/48d8537b-dd91-44c6-9d84-41d097a213f9/what_time_does_the_jelly_belly_factory_close.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c21be1a8-c8bd-4f06-9e8c-29d99a930c86/59933648189.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/37377c6e-1cd9-4dd4-aa4d-3e6ad979d9cc/zebonuzamodudasunovuza.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/16eb967c-1036-4b8a-a769-f5ac3567e1c4/jomamuwaza.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/754e5989-0f75-4120-8caa-5abc2910d29f/how_to_cook_beef_roast_in_power_cooker_australia.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/786805a8-4947-40a5-8682-60b322845c4c/netoruxu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5de656c6-4d06-484d-b098-0bc7af42e774/3268575941.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ee9d733a-aec7-47bc-ac28-48113b213e94/65372163179.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c2041f2b-1e89-49eb-add0-cf24f67faea5/92695200967.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d83ddcc2-ddd2-4e90-a2ac-a52227d9edbe/mr_coffee_maker_not_working_beeping.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2eb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF2EB 6588 bytes
SHA-256: 4e1a9c4cb32f1bc4ff176ae4dc1460c31b2d267bf2def0252f23ad2731e7be72
font_01_sfnt_off00010364.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10364 5272 bytes
SHA-256: 687663f4a04e4d6e06fc59b812defa4d474f966b151ddb85632c60ae1d9ca19f
font_02_sfnt_off00011566.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11566 1936 bytes
SHA-256: 21a7146106e2ad29a4dcc6aa55cee169416400570e2b3d493b6d071cb256f2f3
font_03_sfnt_off00011ea8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11EA8 19200 bytes
SHA-256: b25bc0fea0d45de2d0d36a095cef54f268b9414b0ddbf78c0ff1aaf17f972c0b
font_04_sfnt_off00014b4e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14B4E 16168 bytes
SHA-256: e5458d7b6d82539349b17fc4713a17e1381d471255c72d9f8116b7c86e08c443
font_05_sfnt_off00016053.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16053 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c

Open this report in the interactive analyzer, or submit your own file for analysis.