PDF malware analysis — malicious · d0e2bc53b6df0c3c

MALICIOUS

PDF

78.0 KB Created: 2021-06-10 22:04:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18

MD5: 7c44f99d89b68a23e9ddec62b180e885 SHA-1: b6cc9f7552bd46ad11d5a90dacaa34bc7d356508 SHA-256: d0e2bc53b6df0c3ca0f4264db995c7ee2c7470d62938fb26548dd613446ea50d

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

Nyx PDF Classifier malicious score 0.9992

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://dugedepap.ru/123?utm_term=inquiry+letter+template+business PDF link annotation
- https://static.s123-cdn-static.com/uploads/4421767/normal_5feb5cea2c2dd.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4490121/normal_5fff41e020dc2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4388620/normal_605abe00bdbdf.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4425255/normal_601f3bd6240b6.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4476140/normal_5fe15232d41a1.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4458431/normal_60c1dcbbcd3e0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4373016/normal_601f2baba1885.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4388427/normal_602ac261b77da.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4470521/normal_5fd811cdacfb4.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/6eb11453-6d11-4171-b861-f9c2b55ac4b9/open_recordsgsp_net.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6c4fb00a-58ac-4da7-80a4-89b4aa07fde4/rexezijiwed.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/858527c1-e6bb-4bcc-8195-00709f2115a3/violin_exercises_for_beginners.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e220404d-c50f-4340-af1c-f55bd00e9749/calculo_y_geometria_analitica_larson_vol_1.pdfIn PDF document text
- http://molosafokaji.pbworks.com/w/file/fetch/144543936/birekebobefiwogej.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/74ea692e-5373-46af-835e-85934c4d9fda/witches_almanac_2020.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7e165e47-e8c7-4213-91f3-dd6bb78fdafc/what_is_the_average_good_sat_score.pdfIn PDF document text
- http://vonodatob.pbworks.com/f/texto_original_da_fabula_a_cigarra_e_a_formiga.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ed9004e9-ebdd-464c-8aa4-3afe51758fe9/asp.net_mvc_vs_asp.net_core_performance.pdfIn PDF document text
- http://gaguseka.pbworks.com/f/bpsc_mains_public_administration_question_paper.pdfIn PDF document text
- http://zorisomofi.pbworks.com/f/principles_and_techniques_of_biochemistry_and_molecular_biology_8th_edition.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7dcf47a6-9675-4d67-bef7-57008039c031/is_there_a_sequel_to_after_book.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2c12efd5-e529-424e-bfc8-7c83f9ab95e0/what_is_the_best_oil_to_use_in_a_briggs_and_stratton_engine.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/065c237a-b42c-40bc-b263-a49a984edadd/rikolomuxowuzosobor.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f28a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF28A	5268 bytes
SHA-256: `06a0c81ed74497ec0a997a78e4a6d5676185bd25583cc14cca06584f36c1a76a`
`font_01_sfnt_off00010461.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10461	11004 bytes
SHA-256: `b7f0445f21d59fb73e68aa259934f0c94c3423a15ec55abb1c749a57f4bf316a`

Open this report in the interactive analyzer, or submit your own file for analysis.