PDF malware analysis — malicious · 98efe55ba086ea64

MALICIOUS

PDF

244.3 KB Created: 2021-03-09 05:37:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22

MD5: 8c8ecd1fc0b8e84a708b5d2899cebb4c SHA-1: 9c11d2af6f5f18b018cce452ea98f9f827bafda9 SHA-256: 98efe55ba086ea640a1528a1516b4dd7842624ff200a6b0dc12dbcaa45109519

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses an urgency-based lure. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

Nyx PDF Classifier malicious score 0.9876

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://baarspo.ru/strik?utm_term=midea+pressure+cooker+my-12ls605a PDF link annotation
- https://static.s123-cdn-static.com/uploads/4374704/normal_6000b5749e63f.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4387918/normal_5ffd7ed86cc8b.pdfIn PDF document text
- https://cdn.sqhk.co/kawiwitifa/g3wAgob/accounts_receivable_aging_report_tcode_in_sap.pdfIn PDF document text
- https://titezexi.weebly.com/uploads/1/3/4/6/134639754/590ca6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4426072/normal_6029712c49579.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4470837/normal_600dfbed8a0bf.pdfIn PDF document text
- https://cdn.sqhk.co/mowasikuso/gbhaghj/verizon_wireless_international_calls.pdfIn PDF document text
- https://vajefusuvujob.weebly.com/uploads/1/3/4/4/134464162/jutazeworenukof-pidoziwasoxusi-jikuwosewalam-mebovijanala.pdfIn PDF document text
- https://cdn.sqhk.co/bezakebijuk/QHpiejf/goal._com_arsenal_news.pdfIn PDF document text
- https://cdn.sqhk.co/wofazexej/cgdhd1I/48318856083.pdfIn PDF document text
- https://xapovakugad.weebly.com/uploads/1/3/5/3/135393008/1328062.pdfIn PDF document text
- https://cdn.sqhk.co/togareguko/gzLDrja/xivemuwogapiwuru.pdfIn PDF document text
- https://fepafevadaxajaw.weebly.com/uploads/1/3/4/0/134095897/3547309.pdfIn PDF document text
- https://tonuvufew.weebly.com/uploads/1/3/1/4/131438708/zorixovet-wazamobawokabid-gofidep-rulawasinidudu.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4403819/normal_5fffbea431e65.pdfIn PDF document text
- https://zamosokajuzosa.weebly.com/uploads/1/3/4/6/134651904/6120456.pdfIn PDF document text
- https://serataxufo.weebly.com/uploads/1/3/1/6/131606193/powijisuzet.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/2c05724e-25b6-44b7-8fec-6df7fa370c6f/95242923308.pdfIn PDF document text
- http://zodejewab.epizy.com/wixetazuwufikegude.pdfIn PDF document text
- http://golorawubupub.rf.gd/a_breath_of_snow_and_ashes_outlander_book_6.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9d64026c-be9a-432f-95c9-501d9b757821/gukam.pdfIn PDF document text
- http://fegupiwum.rf.gd/basic_and_clinical_pharmacology_katzung_11th_edition.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7c9dffb8-8c78-4f64-92d1-44868615eca1/past_simple_present_perfect_exercise_doc.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_008_off0003a65b.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x3A65B	17936 bytes
SHA-256: `af3251d226e2f46fddcc507874e75837f36c86d071bfa72fa54eaff7fe39ec56`
`font_00_sfnt_off000364e3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x364E3	6028 bytes
SHA-256: `231e4e299b4a38efdda11241cb1c1d1da03de3ced97f3ee3b5b5e90f3e4f1ac4`
`font_01_sfnt_off00037979.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x37979	14100 bytes
SHA-256: `140612befa9c878a7821e9250cadeb97cd3a669986a0b8f989292a9e888de641`

Open this report in the interactive analyzer, or submit your own file for analysis.