PDF malware analysis — malicious · 72acf6a7a008b674

MALICIOUS

PDF

102.9 KB Created: 2021-05-29 23:24:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-01

MD5: c272046109485350ece56808bbee6f2e SHA-1: 46fb69d8b8956f4b826974023355d9416859e939 SHA-256: 72acf6a7a008b67438dfce71d5c181e1719fda2b66349c38c9d1748fcb0e9710

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

Nyx PDF Classifier malicious score 0.9996

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nipisod.ru/123?utm_term=aprendizajes+clave+preescolar+pdf+mini+pep PDF link annotation
- https://cdn-cms.f-static.net/uploads/4380876/normal_60400bfa0da74.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369164/normal_6036d326d4ca7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4500001/normal_5fd368ea3b540.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4401985/normal_60b0fac2e6495.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4417208/normal_5fe238d18feaf.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4374520/normal_60067edf0f140.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4471683/normal_601f0d3e1fa58.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4463010/normal_6043b32518a59.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/5d88243c-2d1d-4c4d-9cc6-588ce922af67/84312019128.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/985975dc-9bc9-4ac9-93f8-09a530e9b4fd/39450186403.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8a989a12-2ab0-410f-944e-c9c2dbc5069a/mexunamajawoxukuviwute.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f441aabb-5a2a-4f49-8442-3ecd88bbf101/cummins_isx_emplacement_du_capteur_de_puissance.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9665c117-cfad-4b0a-84a1-6baf98986fcb/figafamasejoxo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f8f8383a-a6c9-4f9d-a35d-639d7eb5b825/how_to_clean_pit_boss_smoker_glass.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2709bc86-3fe1-434f-9e58-a29be06c2583/ca_dmv_driver_test_practice.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e72bb678-187a-4cf6-9e61-2527dbd80599/pijoluw.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5db1c3a3-a477-46b7-9ffe-c3f00f5b9488/hp_officejet_6500_wireless_printer_setup.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ea51990c-715d-4c9e-bf4b-955470ead80a/2471125746.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5453215b-67d2-412a-bb93-97f6b245da46/suvosipi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7050a494-efd0-49ec-908f-0a0b9fa982c1/viwazopidividenutas.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d8228444-921a-409d-b128-f6118d4ee138/how_to_weld_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d5ac1f40-5744-49ec-afd9-54ef055dd863/3000_english_words_with_tamil_meaning.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3de5d503-c90e-4be6-97e1-88a69813616d/the_history_of_love_movie_synopsis.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00015169.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x15169	5476 bytes
SHA-256: `bcba3d5f2f0c55781c0252a8c29e9c097ec3febb03bdfd9b4b95ea8a853d78d8`
`font_01_sfnt_off0001640f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1640F	12904 bytes
SHA-256: `0200e85526b3a228f12e7cc0c59c5dd8563ba04f90f723664e38e05e2009aecc`

Open this report in the interactive analyzer, or submit your own file for analysis.