PDF malware analysis — malicious · 0e8820f0ffb3a308

MALICIOUS

PDF

65.3 KB Created: 2021-03-16 00:02:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6e8d8d911c0bbb9afad76afaf21e4a72 SHA-1: bb7691b1100ad988a6a5d32fd4c81cf971b887fa SHA-256: 0e8820f0ffb3a308cad1379766081899659060bdffca386952f0114eb7718049

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of multiple external URLs suggests a phishing or credential harvesting attempt, likely disguised as an award or prize to entice users. No scripts were extracted, but the PDF structure and embedded URLs point towards a social engineering attack.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://pelibifir.ru/award?keyword=brokenness+book+pdf
- http://gatowixipeba.mywebcommunity.org/how_long_does_a_stihl_battery_last.pdf
- https://cdn-cms.f-static.net/uploads/4420028/normal_5fe810e06955c.pdf
- http://tk-pobeda.site/48886286161e6z4t.pdf
- https://jewelilug.weebly.com/uploads/1/3/4/3/134331877/jozanofajusawenitowo.pdf
- https://dimegowogox.weebly.com/uploads/1/3/3/9/133999821/78cff9.pdf
- https://cdn-cms.f-static.net/uploads/4404725/normal_6027f157cfa37.pdf
- https://dopovubejaxow.weebly.com/uploads/1/3/4/0/134017692/9942151.pdf
- http://ourfanz.com/xasoseloxwljvr.pdf
- https://static.s123-cdn-static.com/uploads/4492294/normal_60016b04c8090.pdf
- http://fawikenaxalu.scienceontheweb.net/comment_in_visual_basic_code_excel_begin_with.pdf
- https://static.s123-cdn-static.com/uploads/4386620/normal_5fc8c12ff31d2.pdf
- https://cdn.sqhk.co/zizaratijiga/gfTTjbC/hsbc_cheque_number_format.pdf
- https://fekugutupufug.weebly.com/uploads/1/3/4/8/134876907/5849674.pdf
- https://cdn.sqhk.co/fosikikevo/jc3Orq2/nibapusagij.pdf
- http://fegokodelaxen.scienceontheweb.net/descargar_agenda_2020_gratis.pdf
- http://memiwuv.mygamesonline.org/xonuz.pdf
- https://gufiferufa.weebly.com/uploads/1/3/2/3/132302963/cd390ee.pdf
- http://xagakojitogiva.getenjoyment.net/zatupinomerorubasix.pdf
- https://static.s123-cdn-static.com/uploads/4409395/normal_60015109ec56b.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c43e.bin` `8826444dc97d435191c0d0f5c209a65f7de4878f55ed48680685d09e288d5b94`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC43E	5044 bytes
`font_01_sfnt_off0000d578.bin` `28401f98e98b0bd475aa633a355ebf4984c9c60998f42aa6ed88ca44b2e2779d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD578	10352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.