Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2c5b075c4cd9165…

MALICIOUS

PDF

79.7 KB Created: 2021-04-07 22:20:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: fd1b46efdaf38561b3cc3ceec9d201ab SHA-1: c21c2d8f2526ec7b6ea788c98e43cc26dcd4f620 SHA-256: b2c5b075c4cd9165e6f76fe41559d037dfd96538cdb963addad4231f028d54ba
96 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/123?utm_term=bahria+town+nawabshah+booking+form PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4415302/normal_600fc663c3095.pdfIn PDF document text
    • http://jejovonen.22web.org/mobile_attendance_system_project_in_android_github.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4463532/normal_5fe3aca4af0e1.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4423137/normal_5fecc150c2bec.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4468838/normal_600eb68a84ee4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4485569/normal_605d38d731171.pdfIn PDF document text
    • http://gejopuzebizovuk.iblogger.org/kaise_bataye_song.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489052/normal_603975f1cdc67.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421339/normal_6028bd0a0ab40.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413012/normal_600bf2c73ae1a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421040/normal_60413c5d2bba6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/6308bc72-e10f-46c5-89bc-0830a6509f04/how_to_clean_automatic_soap_dispenser.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/54507c0e-dfc1-4d0a-8f5b-811e0c61e64e/21112010616.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f30f4730-3546-4e34-bc72-395ba9e409db/detatamakepamibibobil.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ca751297-40e8-4483-a336-4775b563dd59/42310275366.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/88f26997-f5b7-426b-b097-8054e6be677d/62365356707.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f078a1b8-3b5c-405e-9faf-a0f17d3d2f77/bissell_big_green_clean_machine_1671_parts.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ceee35d6-800a-45e2-b515-5cd3ba56372b/synonym_and_antonym_lesson_plans_4th_grade.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6d7be00b-fc92-4840-b58d-445695d4252f/scott_pilgrim_vs_the_world_game_release_date_2020_online_multiplayer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/db80a856-ee72-4004-b6aa-1619ce938a47/what_is_the_importance_of_a_college_education_essay.pdfIn PDF document text
    • http://bibikefogive.epizy.com/idautomation_free_code_39_barcode_font.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7758e921-1e8e-4c6a-b6ae-6482efc703b5/19286756485.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b144921a-a4c1-4ef9-97e9-8fa788b110c3/81151580571.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d636fa50-02f4-417e-998a-437e2c6b57dd/jitterbug_flip_phone_best_buy.pdfIn PDF document text
    • http://mukefuzu.rf.gd/advantages_and_disadvantages_of_new_technology.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2bc2e3a-8802-40c8-ac91-f9f8466f8b1a/23066740219.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f85c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF85C 5496 bytes
SHA-256: d41b35cd3da6cfe8d6597f13501d5632e2c604cd955a7e246e878c16f7716ec2
font_01_sfnt_off00010afc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10AFC 11172 bytes
SHA-256: 839fefac6eb5bd835c2e9c542b1379b486a155ad0d5c72e614fd7cf386501f72

Open this report in the interactive analyzer, or submit your own file for analysis.