PDF malware analysis — malicious · fce74b4f3a629bca

MALICIOUS

PDF

263.2 KB Created: 2022-05-02 03:10:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2022-07-15

MD5: 4a4d1835e20f848158eadf06d3fa53d0 SHA-1: 55f554dde62a857f55314b3ab9cbc0f5433c656d SHA-256: fce74b4f3a629bcab8f757581629d998cfc474ddbb88adfb3dac79be9b8062d0

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains embedded JavaScript and an external URI pointing to a URL that is disguised as a Cisco Webex datasheet. This suggests a phishing attempt to lure the user to a malicious site. ClamAV detection as Pdf.Phishing.Trojan further supports the malicious nature of this file.

Machine Learning

Nyx PDF Classifier malicious score 0.5676

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://loheb.co.za/XSRYdR1H?utm_term=cisco+webex+meetings+datasheet
- https://lubrifianti-auto.ro/files/file/50077597419.pdf
- http://omegabg.net/media/ck/files/27252994006.pdf
- https://gedijidejejew.weebly.com/uploads/1/3/0/7/130775336/c464911494.pdf
- https://munuteme.weebly.com/uploads/1/3/4/8/134862418/kizapuvaxejopa.pdf
- http://pyhunlian.com/uploadfile/file/lubid.pdf
- https://tuwavuko.weebly.com/uploads/1/3/5/3/135394323/panelesewolojigi.pdf
- https://rewemaxokaw.weebly.com/uploads/1/3/4/7/134748572/d8577bb7566.pdf
- https://toxazuna.weebly.com/uploads/1/3/0/9/130969920/4672233.pdf
- https://nagifinapu.weebly.com/uploads/1/3/2/6/132696111/0d164.pdf
- https://jigerilo.weebly.com/uploads/1/3/4/7/134702464/1454095.pdf
- http://hockjoohin.com/admin/uploads/file/41965325192.pdf
- https://naworetomepixi.weebly.com/uploads/1/3/7/5/137504938/033d044bc0234d.pdf
- https://tenikekiso.weebly.com/uploads/1/3/0/7/130775729/dd6829a18855a1a.pdf
- https://bujugerevik.weebly.com/uploads/1/3/4/6/134677448/gezew.pdf
- https://torevuke.weebly.com/uploads/1/3/4/3/134378254/e866fd2422562d.pdf
- http://cnctakang.yun2u.com/upload/files/60573968593.pdf
- https://rodovijakul.weebly.com/uploads/1/3/2/7/132741348/zifezenijudijiledir.pdf
- https://fopimakalegej.weebly.com/uploads/1/3/0/7/130738542/ef6529aa47.pdf
- https://mesovozilepako.weebly.com/uploads/1/3/4/5/134588792/xerizenemovunudime.pdf
- https://wotafoxig.weebly.com/uploads/1/3/4/3/134306194/3105666.pdf
- http://bascobrunswick.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16245433729946---71940065341.pdf
- https://rajizoru.weebly.com/uploads/1/3/1/8/131856770/1449454.pdf
- https://joponavo.weebly.com/uploads/1/3/4/2/134234964/3996962.pdf
- https://kajubuti.weebly.com/uploads/1/3/2/6/132680994/xikenebugufa.pdf
- https://bimitita.weebly.com/uploads/1/4/1/3/141334221/68c5268ae.pdf
- http://news-hk.net/uploadfile/file///vuxaroxegebo.pdf
- https://tapifulo.weebly.com/uploads/1/3/4/3/134345172/58d5cb7b4d21.pdf
- https://zokijirimabijim.weebly.com/uploads/1/3/5/9/135964806/989faa314f60.pdf
- http://ayurvedicclinic.org/userfiles/file/vopufu.pdf
- https://pavenepono.weebly.com/uploads/1/3/1/3/131383439/cf048216ebf436.pdf
- https://gesemobi.weebly.com/uploads/1/3/0/7/130738939/9a9b5.pdf
- http://duckie.harmsen.net/userfiles/file/toxidozew.pdf
- https://vukaxibunima.weebly.com/uploads/1/3/4/8/134885707/3466272.pdf
- https://juwarojolajekol.weebly.com/uploads/1/3/4/1/134108785/vidofiju.pdf
- https://vapojulugib.weebly.com/uploads/1/3/4/6/134669528/xoxixigexozumuf_fadunidozavob_jexeg.pdf
- https://www.rougeindigo.com/ckfinder/userfiles/files/winosizexuwuziwopegukat.pdf
- http://9topia.com/js/kcfinder/upload/files/zizenokop.pdf
- http://vlajamo.cz/images/file/42930969764.pdf
- https://tajuwelaf.weebly.com/uploads/1/3/1/0/131071184/romuriwokun.pdf
- https://artgallery.devctn.com/ckfinder/userfiles/files/30911875892.pdf
- https://boxijapemisavar.weebly.com/uploads/1/3/0/8/130874030/sidonaposepuniwumizi.pdf
- https://nalebetiraj.weebly.com/uploads/1/3/4/6/134669494/f7213336.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
+1 more URL(s)

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00038f01.bin` `69a455a29cdf93199da75893caeefed0f3827915598cd0c17eb4b2a30c748ebf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x38F01	11032 bytes
`font_01_sfnt_off0003a860.bin` `2929ff7de2eee33b35db24b50e390e2547e63b2d2624b8b3dfdb709128a68644`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3A860	7720 bytes
`font_02_sfnt_off0003c1db.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3C1DB	16792 bytes
`font_03_sfnt_off0003d9f6.bin` `37c0ab2fc46cf7376a00bf8ee0107ef14cafe73dfd0d8d4d62514ef45f40b331`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3D9F6	19256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.