PDF malware analysis — malicious · 226a581f63eaa560

MALICIOUS

PDF

86.8 KB Created: 2021-03-13 16:34:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: cb366dac835ebc096e9a00eac1ad0187 SHA-1: 768503f8bf5949d9aa7a7cb96b6f7e2d5e4417c1 SHA-256: 226a581f63eaa56031d2b3cdbdc9be65967a01edd13ee2b8709e1af41275af08

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as a malicious PDF by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, suggests a lure related to a specific search query, which is a common tactic for phishing or malware delivery.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nipisod.ru/award?keyword=antonin+artaud+jet+of+blood+pdf
- http://pojibuvuj.mygamesonline.org/pibezute.pdf
- https://cdn.sqhk.co/mikedeto/j10Usii/hereford_police_scanner.pdf
- https://cdn.sqhk.co/lerepetoni/jbhdhch/xudejulesomuk.pdf
- http://yblda.fun/99540819250yu5xf.pdf
- http://besivajazipe.22web.org/historia_de_la_constitucion_politica_de_los_estados_unidos_mexicanos_para_nios.pdf
- https://cdn.sqhk.co/bosamame/ngjgjgd/best_pure_slasher_badges_2k20.pdf
- https://cdn.sqhk.co/jujirepak/0Aie5jf/vowinakajojorepi.pdf
- https://cdn.sqhk.co/gotulurowav/h3ijfji/25181004833.pdf
- http://bopolubolef.mywebcommunity.org/mebipawusesu.pdf
- http://gefosezidubajoz.scienceontheweb.net/what_items_are_gluten_free.pdf
- https://cdn.sqhk.co/vukixukafoga/sicjc4h/datipomobidokebe.pdf
- http://sesalon.xyz/50_shades_of_grey_darker_full_movie_dailymotion72cu4.pdf
- http://vuvodagedene.scienceontheweb.net/todos_los_medicamentos_y_para_que_sirven.pdf
- http://sayfelengs.space/65494934280mkjdn.pdf
- http://dufigep.scienceontheweb.net/audiogram_template.pdf
- https://cdn.sqhk.co/ranemagesoga/gihgrif/77507767889.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://jasetaroxakil.rf.gd/insulation_sheets_25mm.pdf
- http://xotopusedewix.myartsonline.com/40396995486.pdf
- http://fefekug.rf.gd/clarity_ppm_project_management_user_guide.pdf
- http://sulijugofogim.onlinewebshop.net/67340084833.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00011110.bin` `c1a9978ed56f5479abc1ce52cbde6a2bb89c8c7817b435125db24e62a0c62110`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11110	5064 bytes
`font_01_sfnt_off00012259.bin` `16aeabdcc559043df37ae3716afcedebc0486116ede1121920f4962d9c5888be`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12259	13080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.