Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d649b6014f80c8a…

MALICIOUS

PDF

95.7 KB Created: 2021-05-24 00:54:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 9b983d183cd32e778cb74514e38fea0f SHA-1: 1241fb100f19dfd5f55069045e1b7af9738b538c SHA-256: 7d649b6014f80c8a18eb984a3a93772d143cf7e7319b7f52b5f46e0616ba62e5
66 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a URL that masquerades as a government document to trick users into visiting a malicious website. ClamAV detection and the presence of an external URI strongly indicate malicious intent, likely for phishing or malware distribution. No scripts were extracted, but the PDF structure and embedded URI are sufficient indicators.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3363

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=certificacion+de+tenencias+estado+de+morelos PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4422147/normal_6045171403b16.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379602/normal_6038090d29238.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4402533/normal_6038d0dde9ff7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501367/normal_6009ae3f222b2.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4378383/normal_5feba93221586.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387433/normal_6044ccbed35d0.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4487632/normal_6004723dda19a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4481516/normal_5fe01bdcdf4c8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4478685/normal_5fdb02951dfaf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4471091/normal_604d1ae586955.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476941/normal_604d3e74c8555.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4416929/normal_5ffc9bc937229.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4422133/normal_600f7f0977811.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367937/normal_5fe894520fe23.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4487663/normal_5ff3533e99d03.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451950/normal_6054f9e8df943.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373304/normal_5fd9fa6fd5728.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/kulinisokakewi/12702052291.pdfIn PDF document text
    • https://s3.amazonaws.com/bagisi/42216330813.pdfIn PDF document text
    • https://s3.amazonaws.com/retisovojor/engineering_drawing_instruments_and_their_uses.pdfIn PDF document text
    • https://s3.amazonaws.com/xidazeze/59893356163.pdfIn PDF document text
    • https://s3.amazonaws.com/jalasilunaz/5397021454.pdfIn PDF document text
    • https://s3.amazonaws.com/rexogeguxosix/toolbar_back_arrow_color_android.pdfIn PDF document text
    • https://s3.amazonaws.com/mesixadelomomo/94243786322.pdfIn PDF document text
    • https://s3.amazonaws.com/fixararololu/53190442874.pdfIn PDF document text
    • https://s3.amazonaws.com/levumoduf/bennie_and_the_jets_piano_sheets.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013908.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13908 4980 bytes
SHA-256: a320a20b4ac79d52689f6f61dadc3907e586e74bf323ac508806754013d3dc5d
font_01_sfnt_off000149d4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x149D4 12164 bytes
SHA-256: d586def85c8b8cddec218648a861caa9b1842763b9cb4a2cdaadf921da1f8fb5
font_02_sfnt_off00017189.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17189 4324 bytes
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2

Open this report in the interactive analyzer, or submit your own file for analysis.