Malicious PDF — malware analysis report

Static analysis result for SHA-256 edfe692dbab1234a…

MALICIOUS

PDF

77.9 KB Created: 2021-03-14 13:00:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-01
MD5: 3049f0afbbbaaacf003f3dc5171830c3 SHA-1: 6c56083b4a46e1ab1098f2ec0e663440b8d2eead SHA-256: edfe692dbab1234a1edd5541b8bc62f01f4c6c5703a655c924f63c5bbcb19a56
96 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=how+to+develop+android+apps+in+mobile PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4457332/normal_60179a7e2010e.pdfIn PDF document text
    • https://cdn.sqhk.co/gukokefa/ic0ihl5/airbnb_stock_ipo_date_2020.pdfIn PDF document text
    • https://cdn.sqhk.co/fuvebopeweb/jaSjchK/maxamis.pdfIn PDF document text
    • https://cdn.sqhk.co/xuzalolotagi/9jgeKjh/olvidarte_nunca_letra_bronco.pdfIn PDF document text
    • https://cdn.sqhk.co/wapuvalapowa/hNgchi6/zomodo.pdfIn PDF document text
    • https://cdn.sqhk.co/sixojifez/agfygdR/zombie_frontier_sniper_mod_apk_v1._27.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4420028/normal_601ece0418d4d.pdfIn PDF document text
    • https://cdn.sqhk.co/kubepugemaki/iOP4OP8/battlelands_royale_game_review.pdfIn PDF document text
    • https://cdn.sqhk.co/lakekomum/cJBUghC/metal_slug_attack_hack_medallas_apk.pdfIn PDF document text
    • https://cdn.sqhk.co/kefivaxepaj/Zmifgjh/45933285253.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408878/normal_600fb7492fcc1.pdfIn PDF document text
    • https://cdn.sqhk.co/temirikuji/EifgimJ/hot_pink_lips_clip_art.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/16aa412e-75d6-48c0-ab85-7d9c05be6a6c/89688596340.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c0189b39-37cb-4051-b46e-31a814b69b38/creating_android_app_for_beginners.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/224154ba-e92a-4b50-ad3e-1229cb2a851e/2002_ford_explorer_sport_starter_relay.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa3f5a4c-88fc-409f-a1b0-0ebf6fad3d49/83148885012.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e55e8ae7-1214-43a6-ae38-732987955f1e/30062331744.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/711f03ec-1ce8-4b96-9319-2afee3e7f164/zoxuwupaparisilam.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/92f17be9-1f4c-4ade-bd00-3c719399cabc/91544264125.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/968e6e52-8696-4e07-aa20-3bb59feb125c/90688334577.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8429151e-ff7d-431a-9d58-f921af554ec8/walmart_ps5_controller.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/db012781-f7fb-45f6-a9cd-df38fe6c9455/16450141445.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ab67ea52-7794-42d1-ba1a-6349af46a6e3/what_is_the_importance_of_traditional_music_to_contemporary_music.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/231c197b-4d3c-454d-be21-a082cfa51da7/does_family_dollar_sell_pet_supplies.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3b1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF3B1 5360 bytes
SHA-256: fa4b66badca0f515ade3063c2a8391bcaf68484c028e0bef27184f5aaa16ba84
font_01_sfnt_off000105de.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x105DE 10452 bytes
SHA-256: 30acb15848c1687a5a6337a069d46774ddb626f4d702115fdab7dd28f13b59c1

Open this report in the interactive analyzer, or submit your own file for analysis.