PDF malware analysis — malicious · 2789b9f920d18d2b

MALICIOUS

PDF

80.5 KB Created: 2021-02-24 12:14:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b0d565e272f06485434cd7897c46b7ed SHA-1: 79a7970e8d35cb5326a1eab5d5b48a2d0c6175f6 SHA-256: 2789b9f920d18d2b0a7587fcfd140d64b69f0962b7e32be0bfffdfe7aeb041ad

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain, identified as a phishing or malware distribution attempt by ClamAV and ML classifiers. The document body, though heavily obfuscated, appears to contain keywords related to calendars and reports, suggesting a lure. No scripts were extracted, but the presence of an external URI indicates an attempt to redirect the user to a malicious site.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://maypoin.ru/wix?keyword=potomac+elementary+school+king+george+va+calendar
- https://cdn-cms.f-static.net/uploads/4415756/normal_602960e9f20e5.pdf
- https://cdn-cms.f-static.net/uploads/4493597/normal_601c78e47541c.pdf
- https://cdn-cms.f-static.net/uploads/4446917/normal_6012f8e1bb76e.pdf
- https://cdn-cms.f-static.net/uploads/4377909/normal_602871dd6b65e.pdf
- https://cdn-cms.f-static.net/uploads/4487665/normal_60117c90c395a.pdf
- https://static.s123-cdn-static.com/uploads/4476420/normal_5ffda21e1e944.pdf
- https://cdn-cms.f-static.net/uploads/4446390/normal_5fdbe02d31152.pdf
- https://cdn-cms.f-static.net/uploads/4378853/normal_5fd5ff16a8cf8.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/sukobogixe/cracked_idm_for_pc_free.pdf
- https://s3.amazonaws.com/firudegix/perokotekanejajajudu.pdf
- https://s3.amazonaws.com/nufidibodudulad/pufobebagedoxamugibilamex.pdf
- https://s3.amazonaws.com/vajefam/49207113023.pdf
- https://s3.amazonaws.com/luramamelolem/injury_incident_report_template_word.pdf
- https://s3.amazonaws.com/mixanaz/bukimizokavuno.pdf
- https://s3.amazonaws.com/genukopapovixo/project_budget_proposal_template_excel.pdf
- https://s3.amazonaws.com/mejobu/86412097752.pdf
- https://s3.amazonaws.com/bipovoromoj/96814825759.pdf
- https://s3.amazonaws.com/gurafoga/sanorafitepumopulesar.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000fcd0.bin` `f54c32837875673d446fdbd4894c02f1b1dfe00def8f2bd33f40c0bab11ff771`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFCD0	5580 bytes
`font_01_sfnt_off00010fa8.bin` `fd70f929af65251707cad6de56d2b2e290cea36e6f4cc4713e5db65280565917`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10FA8	10844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.