PDF malware analysis — malicious · 052b968444448fd8

MALICIOUS

PDF

76.3 KB Created: 2021-02-20 11:36:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 2d3c5f7eb340fa896eae16c70488a9d0 SHA-1: ad10160de664b93c7a675fe2e0271b3a6c3f2919 SHA-256: 052b968444448fd8ea99798c98755a42a456521bb4dc6a9784fe0e50e3b375c1

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to a suspicious domain, 'seumenha.ru', which is likely used to host a phishing page or distribute further malware. The document body, though heavily obfuscated, suggests a lure related to educational content ('radicals and rational exponents test review'). No scripts were extracted, but the presence of external URIs and the overall malicious verdict strongly suggest a phishing or malware delivery attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://seumenha.ru/strik?utm_term=radicals+and+rational+exponents+test+review
- https://cdn.sqhk.co/wugunifikezu/bghibjf/zombies_can_t_jump_2_crazy_games.pdf
- https://cdn-cms.f-static.net/uploads/4387412/normal_5fd6891e33ca8.pdf
- https://static.s123-cdn-static.com/uploads/4489835/normal_5fcc6fefb5c03.pdf
- https://static.s123-cdn-static.com/uploads/4473039/normal_6008ad579ddf2.pdf
- http://olipaka.xyz/hsn_shopping_guidezrs0d.pdf
- https://static.s123-cdn-static.com/uploads/4501364/normal_6003a861be4d3.pdf
- https://static.s123-cdn-static.com/uploads/4384046/normal_5fc71aeec3a8e.pdf
- https://cdn.sqhk.co/guwewaxa/R7NAicd/real_car_drift_simulator_download.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/sojuravewi/pelutapuwi.pdf
- https://s3.amazonaws.com/gagagakigibapo/59060289371.pdf
- https://s3.amazonaws.com/fibesezati/29535882481.pdf
- https://s3.amazonaws.com/mojivikapeti/church_s_chicken_application_form_print_out.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d966.bin` `a223cf7499e870b5cb3a302d2444ae402e70692975394a822ad0496d4818ea58`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD966	5296 bytes
`font_01_sfnt_off0000eb92.bin` `7b6dce39b201fac8fe3a4fc94f8898eeb7c1f7effdeb227a6d7776c18596d7f6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEB92	10392 bytes
`font_02_sfnt_off00010f74.bin` `c43c81af3addadc619f1b50b0eb79006c69e58cb90abf43f7a5fbd940e22698c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10F74	16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.