Malicious PDF — malware analysis report

Static analysis result for SHA-256 e41439d4f6315386…

MALICIOUS

PDF

107.9 KB Created: 2020-12-22 04:43:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: 4e51fb9a6799dd5ae09dff544b290dc9 SHA-1: b7b8033a1475df7cf3be13f8dc13282a500fbb46 SHA-256: e41439d4f6315386c00bcdaa3e97bed0023ab975dee8d51c032700848e681eb5
96 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a URL that, when clicked, leads to a domain associated with malicious activity. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/strik?utm_term=herobrine+skins+skin+bobby+bobby1545+download PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4382189/normal_5fb76ce2ef5e8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4382773/normal_5f8e3c6f4ce95.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4418180/normal_5fbabd5a3cb63.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446494/normal_5fa6f849ade01.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4474998/normal_5fa7d44469f42.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/a7298f6c-350f-4217-b02b-21efc3e32812/28904480902.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fe0137e2dcd53187f21ff62/t/5fe04f8d1c66f52f5fb82322/1608535950700/dinner_meal_plan_template.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc106a17848ba205d193829/t/5fc3607d4e98326c027c32d6/1606639742944/tomizinepasewowe.pdfIn PDF document text
    • https://s3.amazonaws.com/lekizopiloref/nebajudefijini.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7176be17-4273-4066-b7e3-7f2ea65d9ab3/10828620010.pdfIn PDF document text
    • https://s3.amazonaws.com/xuxifuzituwu/6946121838.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd47.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDD47 30680 bytes
SHA-256: 60edbea0944e16292c6281dab9c3fd1b5ab33f76899e2554014eb7aa450f24d5
font_01_sfnt_off00013d8c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13D8C 5444 bytes
SHA-256: 155998a2a765560ab81039b1301db276a0dec8a5c69031720dd80e97a87377f5
font_02_sfnt_off0001503e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1503E 5376 bytes
SHA-256: 9138bdc661f192e9cfc9e00fbb148c65e7b08a14454c50f536b9259e35789a48
font_03_sfnt_off000161c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x161C7 13008 bytes
SHA-256: 1de583ff84eb5786582f4100c701e05c3ce143fc18444202e77fe555d9b17313
font_04_sfnt_off00018af1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18AF1 16460 bytes
SHA-256: 03b2773a790dad6698a0932078131f6765b1e82f294c2bc4c82c180e57fdbfe6

Open this report in the interactive analyzer, or submit your own file for analysis.