PDF malware analysis — malicious · a0e22f24b9bc2a8c

MALICIOUS

PDF

71.2 KB Created: 2020-11-20 17:02:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1fa9781fdeeaf87d7f3901c530583732 SHA-1: 1ad5ae0ceb9b830c81e06f03b7d326933761c1b2 SHA-256: a0e22f24b9bc2a8cba18dbd9ec42a2998799265d4b2cc49b1618c1c296aad78a

136 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains a URL leading to a phishing-related lure. Heuristics indicate it is a password-protected archive lure, suggesting it is designed to trick users into downloading and decrypting a malicious payload. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffnew.ru/aws?utm_term=ibps+online+form+fees
- https://cdn-cms.f-static.net/uploads/4366957/normal_5f88978d99f27.pdf
- https://cdn-cms.f-static.net/uploads/4382627/normal_5f8ba58b5fca9.pdf
- https://cdn-cms.f-static.net/uploads/4413002/normal_5fabb7f6c7bbc.pdf
- https://cdn-cms.f-static.net/uploads/4366989/normal_5f94cca9cec70.pdf
- https://cdn-cms.f-static.net/uploads/4481673/normal_5fb28be0a7df5.pdf
- https://cdn-cms.f-static.net/uploads/4412757/normal_5fb292de18a87.pdf
- https://cdn-cms.f-static.net/uploads/4366397/normal_5f8c710168f62.pdf
- https://cdn-cms.f-static.net/uploads/4446260/normal_5fa1d45eb0b91.pdf
- https://cdn-cms.f-static.net/uploads/4384649/normal_5f8d859738717.pdf
- https://cdn-cms.f-static.net/uploads/4423431/normal_5fb4291438cdd.pdf
- https://cdn-cms.f-static.net/uploads/4394072/normal_5f9e6ac51cbc1.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/7e33b07f-22a8-460c-8e87-039b43f18b05/65270924443.pdf
- https://uploads.strikinglycdn.com/files/f5fa4a25-bf54-4cf3-84a1-4d105f984d1b/selufojapo.pdf
- https://s3.amazonaws.com/zopenave/laregepudukelavejup.pdf
- https://s3.amazonaws.com/nakevoja/24608341925.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000dadf.bin` `9a5f75557d517d67bc278595371146b1effe9e567426f43326c635c6df0191c2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDADF	4912 bytes
`font_01_sfnt_off0000eb7e.bin` `6141c994283b0e4ca7dcbeaa2dbcdf6310a5d5639bdf3c7f171b019dabf8fdf6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEB7E	10840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.