PDF malware analysis — malicious · 17999c5098306084

MALICIOUS

PDF

77.6 KB Created: 2021-03-27 12:24:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4ad7b8a132c10e4bfaec8af4c583cf11 SHA-1: 2364e3e9e4c3af19fca4e60416f0fd484bd2e444 SHA-256: 17999c5098306084cbbfb2c3ac48e5ba3bf90d134555cb5fed2c15cfd0a8bc75

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URI pointing to a suspicious URL. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan. The document body is heavily obfuscated, but the presence of an external URI suggests an attempt to redirect the user to a malicious site, likely for phishing or malware delivery.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://bologen.ru/strik?utm_term=the+magic+barrel+pdf
- https://cdn.sqhk.co/fujonexa/gihb8je/strategic_risk_management_examples.pdf
- http://zelafagilu.iblogger.org/doctor_zhivago_original_movie_poster.pdf
- http://vojidovalo.iblogger.org/xujukuwuj.pdf
- https://cdn.sqhk.co/duxadikoti/jaSgjjg/guvovigovosaluwutokuk.pdf
- https://cdn.sqhk.co/zisenusaf/dIhjfja/chikungunya_virus_infection_rash.pdf
- https://cdn.sqhk.co/zowipitilo/LgeeSDP/light_purple_tie_dye_background.pdf
- https://cdn.sqhk.co/parikozug/f4Lhijh/48123304446.pdf
- https://cdn.sqhk.co/timugulirebu/iajhOij/geeksforgeeks_data_structures.pdf
- https://cdn.sqhk.co/bexefoboxevi/ghty2FD/influence_synonyms_words.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/rawesaragegugar/81785499643.pdf
- https://uploads.strikinglycdn.com/files/7e98c4d9-a9b9-42df-815d-94493b16c8a5/cursive_letter_chart_printable.pdf
- https://s3.amazonaws.com/gudukupir/wizidinepejima.pdf
- http://renureva.epizy.com/lejuxoregajofaxadifowix.pdf
- https://s3.amazonaws.com/warapagefasovi/24681044739.pdf
- https://s3.amazonaws.com/nuselufuzo/95345744354.pdf
- https://s3.amazonaws.com/xetasif/asana_pranayama_mudra_bandha_portugues.pdf
- https://uploads.strikinglycdn.com/files/9ea3ee5c-a0b1-444b-8a3f-59a76a183a79/38976201015.pdf
- https://s3.amazonaws.com/vutame/kexazamebi.pdf
- https://s3.amazonaws.com/viboxikuz/jadar.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f06a.bin` `bbd5619b0349fd0ef3e97c3f0e93e8ead1cb1e9b4e1493e3060d9c0dc1d1e314`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF06A	5480 bytes
`font_01_sfnt_off000102dc.bin` `3968aa67396aa70075d741fff5d30d65b8630f6c848376e0e35fabc04c920aff`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x102DC	11304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.