PDF malware analysis — malicious · 7d65735b19893421

MALICIOUS

PDF

98.6 KB Created: 2021-04-04 11:41:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 12778b9e63affb745f1a26394596b34f SHA-1: e7baaa5cf404aa9cab89b0f5112bc06e3dc8b7c2 SHA-256: 7d65735b19893421bd999a45af3c4a76db9fce77bd86fc355d22e2ace308f83f

236 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains an embedded script and heuristics indicate it's a malicious payload. The document body and heuristics suggest a lure related to 'Windows powershell scripting tutorial for beginners' to trick users into executing the embedded script. This script likely downloads and executes a second-stage payload from the external URL found in the PDF.

Machine Learning

Nyx PDF Classifier malicious score 0.9996

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://seumenha.ru/strik?utm_term=windows+powershell+scripting+tutorial+for+beginners
- https://static.s123-cdn-static.com/uploads/4417129/normal_5ffb49cd5e7f2.pdf
- https://cdn-cms.f-static.net/uploads/4459794/normal_603f4a4d5078f.pdf
- http://arendaavto.taxi/you_are_strong_my_daughter_quotesyx887.pdf
- https://static.s123-cdn-static.com/uploads/4447278/normal_5fc5fef6caa05.pdf
- http://world-wildshop.com/74046971265953qr.pdf
- https://cdn-cms.f-static.net/uploads/4405179/normal_6017437dee70b.pdf
- https://cdn-cms.f-static.net/uploads/4383308/normal_5fe7d94a45c9b.pdf
- https://cdn-cms.f-static.net/uploads/4368982/normal_602dec05a774c.pdf
- https://static.s123-cdn-static.com/uploads/4459921/normal_5ffcf59222562.pdf
- http://dojixosop.iblogger.org/anemia_oms_2020.pdf
- https://cdn-cms.f-static.net/uploads/4476758/normal_6014650747098.pdf
- https://s3.amazo
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/veledabejufi/instagram_video_er_chrome_extension.pdf
- https://s3.amazonaws.com/feseni/bemba_dictionary_app.pdf
- https://d1b33a7b-cde1-45d4-bc15-d4d3b6236ac5.filesusr.com/ugd/1d64af_f14d59210a324cc98f7b78f8e8b6e5a8.pdf?index=true
- http://xijovapafibowuw.rf.gd/nunix.pdf
- https://b585a76b-fab5-4024-b0d2-f3ad95444197.filesusr.com/ugd/404203_9b7b5b03c9c749bdb2b66164d583da8b.pdf?index=true
- https://s3.amazonaws.com/golepe/14439035788.pdf
- https://dc688580-c0ec-4ade-910b-7abffd870ab4.filesusr.com/ugd/096b61_7e003308c31747bfb996a2060c6d2e79.pdf?index=true
- http://tejutixofefadi.rf.gd/what_type_of_chemical_reaction_is_so3g__h2ol__h2so4aq.pdf
- https://s3.amazonaws.com/vavale/taco_bell_power_bowl_calories_steak.pdf
- https://76c9fb28-c10e-4950-85be-37de24a2ede8.filesusr.com/ugd/fa32a6_77f2db39366e409da48ed7081df09214.pdf?index=true
- https://s3.amazonaws.com/donukadizolin/present_simple_affirmative_negative_interrogative_worksheet.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_000184a6.bin` `a276879bd650975cea6f3a1d962c6e9bfeda21abd820b79625176a45892d24c2`	pdf-embedded-script	PDF raw stream script payload at offset 0x184A6	1677 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 7 shell/COM execution token(s).
`font_00_sfnt_off00013d7c.bin` `1cb591c537f5ce9b13d8ce2af4925c67681142455e00eb0de41c796218da3e96`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13D7C	5664 bytes
`font_01_sfnt_off000150d4.bin` `3c5831a749a456aa7b84e3f33636cb50a2e13a73ee7928dca5da40c3e5860e66`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x150D4	12308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.