PDF malware analysis — malicious · dc6e8beb3b0bc3a2

MALICIOUS

PDF

79.5 KB Created: 2021-03-26 01:40:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6217d5991929659bba450e8ced3c89b7 SHA-1: 93f07cc6e84d6fe8af0c2e03438bdaacc2a6d580 SHA-256: dc6e8beb3b0bc3a2913cf637398fd81c5322e18efa6c355ddd4975c91a8e32f7

76 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it is malicious and embeds external URLs, one of which is associated with a 'genetec video player windows 10' lure. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests the document may be instructing the user to decrypt a password-protected archive, a common tactic to bypass gateway security. The ML classifier strongly flags this PDF as malicious, supporting the conclusion that it is part of a phishing or malware distribution scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://lozipotod.ru/123?utm_term=genetec+video+player++windows+10
- http://smallita.space/164105320633ycyq.pdf
- http://lukufogud.getenjoyment.net/fumekamedisidu.pdf
- http://greatholl.com/used_cardboard_sheets_for_saleoazzx.pdf
- https://cdn.sqhk.co/fularulojoze/fhgIheC/bts_make_it_right_live_mp4.pdf
- https://static.s123-cdn-static.com/uploads/4366958/normal_600365e90b706.pdf
- http://gufutaca5.xyz/pixijezirazuzegiboge4093s.pdf
- https://static.s123-cdn-static.com/uploads/4369503/normal_600596ea4ad3a.pdf
- http://zutelotojenexop.getenjoyment.net/calculus_volume_2.pdf
- http://zagozogenef.sportsontheweb.net/vokonafo.pdf
- http://forpost-electrica.ru/66188928815y2c0i.pdf
- https://cdn.sqhk.co/wijelukifap/Cje8ljd/amplia_tv_apk.pdf
- http://nitesufi.sportsontheweb.net/fisakaxobexaxixaku.pdf
- http://rujewazaxijaza.sportsontheweb.net/44037337516.pdf
- http://lomuwugevona.getenjoyment.net/genesis_1_26-28_esv.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/tikofaketonub/cakewalk_recording_software_free.pdf
- https://s3.amazonaws.com/tazopaju/lidar_lite_3_datasheet.pdf
- https://s3.amazonaws.com/titugome/maus_by_art_spiegelman_summary.pdf
- http://nuwadolonopip.onlinewebshop.net/gazodowulumamodibiral.pdf
- http://senesijosezetu.myartsonline.com/what_happens_in_after_we_fell.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f7e7.bin` `72daea7e83671aaf9a8f049cc77aea7525319f7e3b384d3c469d95227be8035e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF7E7	5548 bytes
`font_01_sfnt_off00010af6.bin` `4bcc34b71bbdbd55dd0252d76f40472a465652d1941fcc3659dc034678523056`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10AF6	11380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.