Malicious PDF — malware analysis report

Static analysis result for SHA-256 b96a7788309781fd…

MALICIOUS

PDF

174.9 KB Created: 2021-02-14 15:24:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 23032c0527791ea640342831e61c0c3f SHA-1: 57c57b30722802bf1822c1ee538ac531c8cbc8cf SHA-256: b96a7788309781fde7b1af06d4d5f9577358ce99b4db547ee9423d95a452ac35
96 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8263

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/123?utm_term=om+symbol+meaning+in+arabic PDF link annotation
    • https://lagisarer.weebly.com/uploads/1/3/4/1/134131240/5c93fa.pdfIn PDF document text
    • http://alania365.ru/83330005823ogzf3.pdfIn PDF document text
    • http://vuvuga.xyz/destiny_2_shadowkeep_steama5xth.pdfIn PDF document text
    • https://besixovit.weebly.com/uploads/1/3/5/9/135997460/c334e1.pdfIn PDF document text
    • https://davabodijesofid.weebly.com/uploads/1/3/4/4/134474123/2904301.pdfIn PDF document text
    • http://naturfresh.space/98577219825ux5hb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470533/normal_601f7985b8903.pdfIn PDF document text
    • http://sacredname.ru/468175443534p74m.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4409614/normal_5fcc99eff2460.pdfIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
    • http://smc.org.inhttp://smc.org.inIn PDF document text
    • http://www.indictrans.orgIn PDF document text
    • http://www.thdl.org/http://www.thdl.org/TibetanIn PDF document text
    • https://s3.amazonaws.com/baxunaf/pirates_of_caribbean_theme_music_ringtone.pdfIn PDF document text
    • https://s3.amazonaws.com/wuzalugiseto/maradona_malayalam_movie_theme_music.pdfIn PDF document text
    • https://s3.amazonaws.com/matogapibelifiv/25187315256.pdfIn PDF document text
    • https://s3.amazonaws.com/rojalexipokadaz/83427992115.pdfIn PDF document text
    • http://kiwusegofavuto.rf.gd/lixuvelitoxiku.pdfIn PDF document text
    • http://godemesefiw.epizy.com/xotevu.pdfIn PDF document text
    • https://s3.amazonaws.com/tutasujal/mulalanulobutiwaraxo.pdfIn PDF document text
    • http://fujesotes.epizy.com/billboard_design_template.pdfIn PDF document text
    • https://s3.amazonaws.com/wixatax/galvanized_sheet_metal_product_data.pdfIn PDF document text
    • https://s3.amazonaws.com/towakog/nujazotagupibasubizufitum.pdfIn PDF document text
    • https://s3.amazonaws.com/dazuxujepov/latest_android_mobile_phone_under_30000.pdfIn PDF document text
    • http://kemogozamamov.epizy.com/platform_metallic_silver_shoes.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
    • http://www.gnu.org/licenses/lgpl.htmlRegularDanhHongIn PDF document text
    • http://www.geocities.com/dnhhngIn PDF document text
    • http://scripts.sil.orgIn PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    +1 more URL(s)

Extracted artifacts 19

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000170bb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x170BB 2700 bytes
SHA-256: 127f6d9154b9897ae5de5960749b7b41ae6da4530735d9b138a51059f52831fd
font_01_sfnt_off00017b4e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17B4E 6984 bytes
SHA-256: 38f96fb8677ea8102964f107e09963ceeb7602cd2138f2643277e71e5744abdc
font_02_sfnt_off00018db9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18DB9 10020 bytes
SHA-256: fdb7ce68cbd47be3a70f225a4ce98f4496a2d48b48cf149fdb41da238d25e6d2
font_03_sfnt_off0001adcb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1ADCB 13388 bytes
SHA-256: e3b7f215dcc40eefa04873c39769af1086b223f35da99e984d3c48cd053bb8dc
font_04_sfnt_off0001d6b4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D6B4 5388 bytes
SHA-256: bba9518b040708147a479e600a5d81c08ae1cf268a806fd07d61d2e289d60a92
font_05_sfnt_off0001e8f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E8F3 2328 bytes
SHA-256: d30a29148dc1eeefdd536b32e95ff742c868ab98673fde705cc9606a1999bd11
font_06_sfnt_off0001f30d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F30D 2588 bytes
SHA-256: 2dcce1dacab4e67e58bd998772dc25ff99175f389b9b1370795a1b133f6cc1fb
font_07_sfnt_off0001fd5f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1FD5F 2476 bytes
SHA-256: a4ac9b20bdc4ee89d3136935b4b01a6447cc09021602bd7fa648e6c3fb340b64
font_08_sfnt_off000207bf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x207BF 5236 bytes
SHA-256: 7d79a7c154f3386c8d61a891cb85d2d0cf2ab479ac031745f02f0f1e7cb1b943
font_09_sfnt_off000219db.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x219DB 16392 bytes
SHA-256: 5047541f50f205ed16c5e9bbb60f906fe17e1fa6fab487656e7027354101f3de
font_10_sfnt_off0002303b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2303B 4120 bytes
SHA-256: b0dc90cba980c354572aec9c98b3c8d46eeeb4dd229e5a12458ab4e71f32b606
font_11_sfnt_off00023d15.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23D15 3092 bytes
SHA-256: 24b2770e573c0287d97bd695dd53d45b3d9b7a1ba09167ff07db8c9b44bd0fe6
font_12_sfnt_off000248e2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x248E2 9060 bytes
SHA-256: 5b6546f2f757ea26d8cfe013a644f03bad6f8b952017a225fac76cb7ce55a5d1
font_13_sfnt_off000260a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x260A1 1752 bytes
SHA-256: 5e57f230f023194b967f105a912152db2842206eb49fddc9605326e8b541fdec
font_14_sfnt_off000269b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x269B7 3948 bytes
SHA-256: a3f2861cb6ba983c1097ab9f42bf0a43bb2ec6939b078bebd53d4a274ae88b94
font_15_sfnt_off000275de.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x275DE 3804 bytes
SHA-256: e15846b703f42964eebabda908c5fc0ad165a45682a5efb8c66fba67908d739e
font_16_sfnt_off00028245.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x28245 1756 bytes
SHA-256: 34684f62ad3f27b64fcbe50a8cfdf82bbc2e108f7473e6610b4929ce4968aaa4
font_17_sfnt_off00028b4e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x28B4E 1828 bytes
SHA-256: ff36e7b2d728e7293fba5764f8bfa1508a6e6a54f1e6f627b069b9b7edc9c69c
font_18_sfnt_off00029450.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x29450 9052 bytes
SHA-256: 726c51d263589db74e12b32facd65b03b3b12348af255f5adaa024fbf532f962

Open this report in the interactive analyzer, or submit your own file for analysis.