Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d0ed2381e6b3294…

MALICIOUS

PDF

78.0 KB Created: 2021-05-17 10:17:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: d310ee11bad8b2548d998c7f16777c43 SHA-1: 57ee5765d84684ae145ca7bd015a69e5944a93c2 SHA-256: 9d0ed2381e6b32946992962524fbce928f91e6ac4e165abd9017eb26822d6d2d
96 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/strik?utm_term=taotao+110+atv+battery PDF link annotation
    • http://amsidisi.xyz/vmware_player_14_toolsp39sc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4411701/normal_5ffb1640a2213.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4406473/normal_5fd5ff11bd36d.pdfIn PDF document text
    • http://introdom.ru/46108324099tcyad.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393772/normal_6025347cc1329.pdfIn PDF document text
    • http://sodaapp.pro/motivational_interviewing_course_onlinee1gmd.pdfIn PDF document text
    • http://vinograd.io/why_does_my_craftsman_lawn_mower_starts_but_stallsod39f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4465938/normal_5ffe1df14cdef.pdfIn PDF document text
    • http://filemarker.store/13818291501qsvow.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381544/normal_60239876c6a7a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4447641/normal_5fe8eb709760a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4410002/normal_6039e97d601e2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4405904/normal_6051f42b681e9.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/bezorito/best_adventure_games_android_reddit.pdfIn PDF document text
    • https://s3.amazonaws.com/xazarujokemus/91664628135.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7e4c7eea-964e-4f56-bec0-cd71fd56f2c9/who_won_the_person_of_the_year_2020.pdfIn PDF document text
    • https://s3.amazonaws.com/fovezewi/47541720377.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a4e7824-5dfb-45d8-994c-319fd4cfba83/where_can_i_get_the_after_books.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/106580e5-ff8b-4516-af66-c4d31492c6dc/semufogejagatuv.pdfIn PDF document text
    • https://s3.amazonaws.com/benuka/26181064866.pdfIn PDF document text
    • https://s3.amazonaws.com/lodazojamuva/what_is_the_most_caffeinated_drink_at_dunkin_donuts.pdfIn PDF document text
    • https://s3.amazonaws.com/jipowumat/54852009763.pdfIn PDF document text
    • https://s3.amazonaws.com/sojuravewi/devowexegevumijuwod.pdfIn PDF document text
    • https://s3.amazonaws.com/wurivuve/why_did_he_disappear_for_a_week.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4a03884-f492-4c7d-81df-b03d89a8b010/2013_ap_bio_frq_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/sinamozagemoger/5943045046.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f362.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF362 4912 bytes
SHA-256: b829cb0645a30c5c79924f5976ad7172730aa17ea70ea633fda4e3866a4abd3c
font_01_sfnt_off00010437.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10437 10924 bytes
SHA-256: 7b4538071175297484e8ead1cbb18cac7219fef98d0c4b4d8bb7faea8ee36413

Open this report in the interactive analyzer, or submit your own file for analysis.