PDF malware analysis — malicious · d11d066a3b93f8cd

MALICIOUS

PDF

219.0 KB Created: 2021-06-10 02:32:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25

MD5: 1bf6d81925271e3895e6cf2a57b9daa7 SHA-1: 28b5b39d679a5140ced04075f46c1e6f9131f81e SHA-256: d11d066a3b93f8cd358e7cda0ce9780ff9e7d46da5b7ab672ed236791b212168

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

Nyx PDF Classifier malicious score 0.9826

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nomylo.ru/pbw?utm_term=walang+hanggang+paalam+dec+4 PDF link annotation
- https://luliguruj.weebly.com/uploads/1/3/4/8/134879099/bec09e8ab175c4.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4463529/normal_5ffb1d834de78.pdfIn PDF document text
- https://jatazuleb.weebly.com/uploads/1/3/4/6/134662889/rurefodipo_favusarovenen.pdfIn PDF document text
- https://radenomubadinor.weebly.com/uploads/1/3/4/1/134108668/nogujusoxikuwado.pdfIn PDF document text
- https://kopiwuzurori.weebly.com/uploads/1/3/1/3/131398237/jadepu-nusuvuke.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4456369/normal_602c4fefc0a56.pdfIn PDF document text
- https://runobutadafe.weebly.com/uploads/1/3/0/9/130969205/9aeffff65.pdfIn PDF document text
- https://jizawabule.weebly.com/uploads/1/3/5/9/135966138/6295169.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4421039/normal_6056882551796.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4491688/normal_60397646f1985.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374686/normal_60249c34e1b5d.pdfIn PDF document text
- https://vixubarurumufov.weebly.com/uploads/1/3/1/4/131454397/luwadano-wejefitosi.pdfIn PDF document text
- https://lizulamuti.weebly.com/uploads/1/3/1/6/131607093/mupudekuwe-sojojuxasomomul-ponopemo-butegoj.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4406168/normal_6040e4b03ed82.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4490244/normal_605ace38e9a0e.pdfIn PDF document text
- https://pomonomiwubexi.weebly.com/uploads/1/3/2/3/132302815/ce0de85b5d941ac.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4490116/normal_601b4315de3fd.pdfIn PDF document text
- https://sasovonaxefi.weebly.com/uploads/1/3/4/6/134612432/nepazufikoboka_porexaw.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://xawaren.pbworks.com/w/file/fetch/144993906/fatugokufevuwomipuzur.pdfIn PDF document text
- http://pazimonofe.pbworks.com/f/girokulogamobonew.pdfIn PDF document text
- http://popuwepux.pbworks.com/w/file/fetch/144648315/what_are_the_characteristics_of_victorian_architecture.pdfIn PDF document text
- http://wuvebag.pbworks.com/f/hasrate_bar_bar_yar_ki_karo_ringtone_download_mp3.pdfIn PDF document text
- http://tefesabiji.pbworks.com/f/45636639323.pdfIn PDF document text
- http://jebodigezev.pbworks.com/f/corporate_approval_matrix_example.pdfIn PDF document text
- http://lulatigono.pbworks.com/w/file/fetch/144541041/92310411968.pdfIn PDF document text
- http://pokuwatosat.pbworks.com/f/42209852700.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00032637.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x32637	5312 bytes
SHA-256: `cb074efb949b0dc3c84f744e1909f1e2f72fd7f4509732898530f040cc7453af`
`font_01_sfnt_off00033837.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x33837	10780 bytes
SHA-256: `759d4925792daca357ae1418d9559604142d8af1a38afd52a6e1080796d1f5d8`

Open this report in the interactive analyzer, or submit your own file for analysis.