PDF malware analysis — malicious · 07335d254fbffc6d

MALICIOUS

PDF

67.6 KB Created: 2020-11-16 21:33:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: ce773993a883388832b1ffeba9a9819d SHA-1: cf23ed1d565d4aacc994816b69df542928b966c0 SHA-256: 07335d254fbffc6df7875d2cc4ec3f3dd500058761a27ec90af31b675af62123

136 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file was flagged by multiple heuristics, including a high-confidence ML classifier and ClamAV, indicating malicious intent. The presence of advance-fee scam language, combined with an external URI pointing to a suspicious domain, strongly suggests a phishing or fraud attempt. The document body, though heavily obfuscated, contains keywords related to the lure.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafffe.ru/123?utm_term=sally+hansen+nail+polish+strips+walgreens
- https://cdn-cms.f-static.net/uploads/4486758/normal_5fb27911cb8fd.pdf
- https://cdn-cms.f-static.net/uploads/4410459/normal_5fae2544906ee.pdf
- https://cdn-cms.f-static.net/uploads/4370064/normal_5f9090f290dae.pdf
- https://cdn-cms.f-static.net/uploads/4365553/normal_5f878e9883a1d.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/genedesowul/mefazetaxelisisep.pdf
- https://s3.amazonaws.com/bubodeliza/jererelasemazoriniji.pdf
- https://s3.amazonaws.com/wilugugo/dotujifet.pdf
- https://s3.amazonaws.com/fejififimaketo/html_tags_list_with_examples_and_description.pdf
- https://s3.amazonaws.com/fikuvine/gitofejedoguduxaleb.pdf
- https://uploads.strikinglycdn.com/files/87926a7c-151d-426b-9069-b6159a718a45/37869526261.pdf
- https://s3.amazonaws.com/mokuwanibof/wujalebafipizibesavif.pdf
- https://uploads.strikinglycdn.com/files/61ebd28d-75ec-4d3d-bef1-75b4cde4d611/5_georgia_regions_worksheet.pdf
- https://s3.amazonaws.com/wonoti/51110103066.pdf
- https://uploads.strikinglycdn.com/files/9ae9dfa0-f326-448e-b523-1b5f606086f3/80285066831.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000cb8a.bin` `a4cee1b9e312ef49f39ad297675412da7f82570513dd6aba1f166a594b19d987`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCB8A	5376 bytes
`font_01_sfnt_off0000dde5.bin` `179994d9fdeec8857d87c3bd796a8df92a0342243a64a740e4aee8ad6e026467`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDDE5	10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.