PDF malware analysis — malicious · fb1262759648052a

MALICIOUS

PDF

76.8 KB Created: 2021-05-05 04:25:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16

MD5: c0047e9b2b09fa7c4b6776584c4b6157 SHA-1: 865bc6b0d9f5cb4e603c9d29f7e44d1732282be7 SHA-256: fb1262759648052a6f61b3ce7f3ff36a7092d049a04f4342aeaffa28ebdea48f

176 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains heuristics indicating a social engineering attack, specifically a payment redirection lure, and an external URI pointing to a suspicious domain. The ML classifier strongly flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of an external URI and the nature of the social engineering heuristics suggest the document is designed to trick the user into visiting a malicious site, likely to facilitate financial fraud or credential theft.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
ClickFix social engineering attack high SE_CLICKFIX

Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE

Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://baarspo.ru/strik?utm_term=desktop+shortcuts+not+working+windows+10 PDF link annotation
- http://grenkasalo4.xyz/13387132344ga2v.pdfIn PDF document text
- https://dibotora.weebly.com/uploads/1/3/4/8/134870334/xuvifuwabidukukuz.pdfIn PDF document text
- https://cdn.sqhk.co/zavilisuga/vUzaii6/fios_tv_app_apple_airplay.pdfIn PDF document text
- https://xafasujogi.weebly.com/uploads/1/3/4/3/134374351/kotujegosode.pdfIn PDF document text
- https://cdn.sqhk.co/mofokamibe/kX3hcic/skyscraper_roller_coaster_2018.pdfIn PDF document text
- http://xtrading.buzz/alanna_song_of_the_lioness_movieln3ny.pdfIn PDF document text
- http://onlinetyz.xyz/ignou_b._ed_form_2018_last_dateis3x7.pdfIn PDF document text
- https://konevolog.weebly.com/uploads/1/3/1/6/131606720/5335440.pdfIn PDF document text
- https://cdn.sqhk.co/gotofebelu/nid0Shh/68908410117.pdfIn PDF document text
- https://cdn.sqhk.co/xalurubizud/B0Rifgb/zusetekoberu.pdfIn PDF document text
- https://dafuzimobolu.weebly.com/uploads/1/3/4/4/134498283/5621759.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://s3.amazonaws.com/sojebelevenex/95347004949.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/21a83964-5c7e-4a9d-bd24-e81e916930cc/titiwugezazojotuzu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f295e7a7-c14e-40b0-bd94-c336f642109d/the_history_of_love_by_nicole_krauss.pdfIn PDF document text
- https://s3.amazonaws.com/dexodekelaseki/happy_feeling_list.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/90e17242-51ad-470f-bcd1-7853fbb19516/canon_powershot_sd1300_is_lens_error.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5579d314-e89e-4ea9-8829-2cba2dc2e2fe/1259157894.pdfIn PDF document text
- https://s3.amazonaws.com/zabevog/56132344449.pdfIn PDF document text
- https://s3.amazonaws.com/tuxenipup/sironoforodexomusabejel.pdfIn PDF document text
- https://s3.amazonaws.com/jesidofefe/98645846360.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e10c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE10C	5324 bytes
SHA-256: `5a89ea20c423963ced231199661d0e5a2758a8eef3d6f2d421aacae9c26a5ad6`
`font_01_sfnt_off0000f347.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF347	10564 bytes
SHA-256: `1c599ea77592d7eb2f607102024e61c9d5820a94e83f7d82b156cce7ad386b67`
`font_02_sfnt_off00011789.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11789	4324 bytes
SHA-256: `9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2`

Open this report in the interactive analyzer, or submit your own file for analysis.