PDF malware analysis — malicious · 033e1cde232b995d

MALICIOUS

PDF

76.8 KB Created: 2021-02-13 17:48:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1aea95d50fe89b866d5fa7564be4dc81 SHA-1: 39ac18a165de23647cae5eb1152f8ce45f2ab0d9 SHA-256: 033e1cde232b995dd07dcc955e0e3f3051764737642e4d2a2520e5dc776ca393

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'https://jacksth.ru/wix?keyword=what+is+facebook+live', which is likely used to redirect the user to a phishing or malware distribution site. The document body is heavily obfuscated, but the presence of the external URI is a strong indicator of a malicious lure.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://jacksth.ru/wix?keyword=what+is+facebook+live
- https://static.s123-cdn-static.com/uploads/4488558/normal_5ffb23f22c8b0.pdf
- https://cdn-cms.f-static.net/uploads/4370059/normal_60146223e31e5.pdf
- https://static.s123-cdn-static.com/uploads/4377125/normal_6007535c090f6.pdf
- https://rixatesar.weebly.com/uploads/1/3/1/8/131871899/e01a620dd5418f.pdf
- http://kupivse.xyz/manual_usuario_contasol_2019eu9e5.pdf
- http://questotzvezd.space/4_pic_1_word_level_1293xw0ol.pdf
- https://static.s123-cdn-static.com/uploads/4425772/normal_5ffb23808f569.pdf
- https://cdn-cms.f-static.net/uploads/4482403/normal_5fda6b967d705.pdf
- https://cdn-cms.f-static.net/uploads/4451565/normal_5fd3a6b7de3e9.pdf
- https://cdn-cms.f-static.net/uploads/4490364/normal_601e116239f6b.pdf
- http://my-credit.info/guardian_tales_guide_world_2_hide_and_seekxapds.pdf
- https://cdn.sqhk.co/kuburarimoku/cLgfXhb/24228651938.pdf
- http://igcopyrightforhelps.com/bukegaja0ch9e.pdf
- https://cdn.sqhk.co/zifegowuf/lbHBjex/ping_pong_table_dimensions_and_clearance.pdf
- https://fapudajom.weebly.com/uploads/1/3/2/6/132681453/11e234cbb1588.pdf
- https://cdn-cms.f-static.net/uploads/4428043/normal_6025bb1be23bf.pdf
- http://honbiz.pro/akali_guide_jgs3rkh.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/bodajaku/java_jre_8_update_181_64-_bit.pdf
- https://s3.amazonaws.com/rawesaragegugar/45114568175.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f0f2.bin` `18e14434fef36748122e4c4bdcea0c5857651cab1b823cddae07e12697d5b665`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF0F2	5148 bytes
`font_01_sfnt_off0001028f.bin` `5f4b4fac65f64ce94a5ebeb215839163519afe0a8b33ddcf1d335709f95acebc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1028F	10440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.