PDF malware analysis — malicious · c1296f9b145d44a1

MALICIOUS

PDF

84.7 KB Created: 2021-05-30 05:56:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23

MD5: 8ba064bc061c65d7c119e98bf7fb67d8 SHA-1: c7597eee06ef59a50c83761a918fe705d0cb9ba5 SHA-256: c1296f9b145d44a1a25ad22291e21acd2a6aa617b4ecd059b30e97a0f0d03985

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://leonvi.ru/123?utm_term=how+to+use+nbos+character+sheet+designer PDF link annotation
- https://cdn-cms.f-static.net/uploads/4426421/normal_6018529326ce5.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4413693/normal_5feb94e2bdc07.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4459645/normal_5ff0d838d6206.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4416671/normal_5ff4f2408d653.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4453909/normal_5ff0c31b33f4b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4426675/normal_602b98a7d3bfa.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4405193/normal_603b0e4eacac4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374953/normal_600c8b4daa9d9.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4470975/normal_60b2b182a4aa2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4470231/normal_6009d2d30d26d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4484821/normal_6013381c6f82b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4483586/normal_6054dbfbcc0e0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4425759/normal_600b2a4282d24.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/7f5266cc-8770-4807-b3d8-f4a420cb4c5b/rebulevexurawasub.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4b51a18d-afe9-4657-b19a-83e92ef53ccf/92163294199.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f8a46eec-3a86-453d-aa90-0ab1c8f58466/68415694364.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/710819f6-e25d-42ea-81aa-f75270e7197b/how_much_are_singers_worth.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f5f9a473-b967-4f7a-b184-3f922ae85fce/72862875133.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9f65db95-fed6-46e3-bfde-95fa246f2aab/food_handlers_practice_test_nyc_2019.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ba180abc-4d0e-4505-93df-ccb071bff10a/92324094625.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f630c286-2e23-4ea9-9f9e-6397e88bbf2f/vezejapejazazuj.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d80391b5-9cd4-4c94-a25f-3bfb472f1e75/que_se_necesita_para_viajar_a_grecia_desde_mxico.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/19215212-ef6c-45fc-a7c3-aca9b95ec87a/53617988530.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e5721b9e-a07d-4ce7-b3a4-1e512c463464/gregor_the_overlander_movie_trailer_official.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6fe05fa1-617e-45b3-8b0b-95559f1afd58/firavomiretukupaj.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010d90.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10D90	5360 bytes
SHA-256: `c06dc5717472e80acd33d7c4315dc28e4422828d2f9adeaace832ab422ad54c1`
`font_01_sfnt_off00011fd4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11FD4	11244 bytes
SHA-256: `7ca0e8803297bccacc670d649a4e1002bf61268813b3317b76925b045accc53b`

Open this report in the interactive analyzer, or submit your own file for analysis.