PDF malware analysis — malicious · f63bb5a26d1cab28

MALICIOUS

PDF

78.7 KB Created: 2021-05-30 23:07:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22

MD5: a09ce7447ece3fd1925b7d76d2be0a8f SHA-1: 112ff9770fd764dca12286d10497d34fdded35d0 SHA-256: f63bb5a26d1cab286b50c7f10711a6ea07e8d6e576c137d693b83d849ff8a28e

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

Nyx PDF Classifier malicious score 0.9984

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://botokaw.ru/123?utm_term=manualidades+papel+china+fiestas+patrias PDF link annotation
- https://static.s123-cdn-static.com/uploads/4414514/normal_60080d2744a92.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4377371/normal_6020671081e5e.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4453889/normal_5fdf42c53e3ce.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4450158/normal_603fc1ad86f3e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4409411/normal_603814bfa9c72.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4472793/normal_5fdb55785d085.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4373520/normal_60152398abb64.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4502493/normal_606829033db74.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4490539/normal_60219b2692de3.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489593/normal_604de2e718df6.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4486344/normal_5fcb2b64de3b4.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/bb899acf-9dc9-4073-8919-1815c3ee53fb/xalumelovilisiwuzajolowo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/01ba99c0-2927-4b8b-b37e-1a96d3854cb1/learn_hindi_grammar.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/387e1af7-682f-4c4a-af16-97857b2f1c81/32543995935.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b43d82f9-c2d8-4918-8147-551d4a0304b9/como_hacer_un_bosquejo_para_predicar_en_la_iglesia.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8f4026e0-7d00-4276-ac92-e0af5d246f10/keurig_b150_household.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/89e7fcdd-257e-48f2-a566-26ee2df48415/angular_2_tutorial_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2b7400b1-e4b5-4d66-af3c-5b2abe9eb4db/the_holy_quran_book.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ca2c91f3-2f51-45b4-b9cb-daad3ee2f956/under_the_dome_season_1_episode_1_free_online.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f2222b6f-703f-4676-b655-23470ec93318/what_streaming_service_has_jack_reacher.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/837bcf1f-b5ec-4b68-ae92-357c1b031055/5_levels_of_relationship_marketing_examples.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/33136864-1460-428d-9058-6fd8dd2c62bc/71282613923.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e2be9347-0367-47d5-a002-8f7827fbb47d/harry_potter_y_la_orden_del_fenix_pelicula_completa_en_espaol_facebook.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/62fa8e8f-b88d-4345-8740-fb889a8ea556/winchester_94_rear_peep_sight.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e19e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE19E	3320 bytes
SHA-256: `9427d4e102962f4f51e7047dfefe6c48710523af25b378d2d8ab8e81b76eda59`
`font_01_sfnt_off0000ed6a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xED6A	5248 bytes
SHA-256: `170249d4797e033dcce7619b6354ed4bf8d0aa12f00aad2bcda17d99fc0926e1`
`font_02_sfnt_off0000ff3f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFF3F	1800 bytes
SHA-256: `e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d`
`font_03_sfnt_off000107cd.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x107CD	11328 bytes
SHA-256: `170c8758d46e265f89fa2d74245f74cce44693fc58db6bb819f824168baf7abb`

Open this report in the interactive analyzer, or submit your own file for analysis.