PDF malware analysis — malicious · bd7e04e50dfe9db1

MALICIOUS

PDF

77.0 KB Created: 2021-05-25 05:30:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22

MD5: 3e7139b607f95a96742ebf86e59cf9a6 SHA-1: 2d1e38ae4636eab72b6f1cccda6a9482baaf8d43 SHA-256: bd7e04e50dfe9db1dca61b652ed778e30218b6f3a89eacf0d7eb10723da01779

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating an external URI and is flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The document body, though heavily obfuscated, contains text related to 'Shadow age rating' and 'wkhtmltopdf', suggesting a lure. The embedded URL leads to a suspicious domain, likely intended to host a malicious payload or phishing page.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://soxebez.ru/strik?utm_term=shadow+age+rating PDF link annotation
- https://static.s123-cdn-static.com/uploads/4454682/normal_5fcf2ea140d88.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369512/normal_6017cd05f1a2c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4470402/normal_6022d7733d937.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4392864/normal_6041ba0466802.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4489586/normal_5fd08e0035fa5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4420224/normal_6013c3470ae0a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4480897/normal_6043100a4fbf5.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4458616/normal_5fd04f29890b0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4458137/normal_5fe9f35f88571.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4380857/normal_5fe0a91def886.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4466662/normal_5ff903b9beb1c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4387417/normal_604513ac7e60c.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4407316/normal_5ff05b538a64d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4418170/normal_606bfe7b0c277.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/af72e1a4-cd07-4700-a429-44e4ce2358d2/9220790033.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6841c63b-bac9-4079-8002-51bee14ac057/most_common_themes_in_childrens_literature.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/01cf87dc-b3cf-4c24-a997-0a4c49c75f7f/mississippi_drivers_license_office_jackson.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/670b07bf-b781-4dfc-a712-3108ec155fbe/25609435636.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2df0f3ef-ebdd-47e4-8b5c-0c962a630370/45066674904.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2e57e4db-665c-4d04-ad51-6300cec8d1ec/47278028651.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a5b356c1-36f5-49fb-a507-9a2be5150951/gigaweba.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ebc222a8-4d77-44eb-8110-df5847db9a8c/76619693295.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fc81dc1f-0c6a-4390-8a89-4955099351cb/diono_radian_cleaning_instructions.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5df95e8a-5889-4b89-b133-78a27ea99e30/berserk_chapter_359_date.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f0ea.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF0EA	5072 bytes
SHA-256: `f733c8d734882e1238651bc8aeca3e10c526e5274de8c9c98be3ed0912d39068`
`font_01_sfnt_off00010237.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10237	10732 bytes
SHA-256: `0374cab64a10a083006254f316daac1893e45503ee0de88fc3e1cfff7c034861`

Open this report in the interactive analyzer, or submit your own file for analysis.