PDF malware analysis — malicious · 2a0fe320d001aa20

MALICIOUS

PDF

87.0 KB Created: 2021-06-06 16:00:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24

MD5: 91247be92d8682f79e9a55a534d615da SHA-1: 23ed4d5b1ded04e69c94ffb0516560cd1936576d SHA-256: 2a0fe320d001aa2091519c5f907fb5d6b6decaa9feec7fa698d07c6a9906dfa9

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URL that directs users to a suspicious domain, likely to facilitate a phishing or malware distribution scheme. The document body, though heavily obfuscated, appears to be a lure related to downloading music albums, aligning with common social engineering tactics.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://medvor.ru/pbw?utm_term=best+website+to+download+music+albums PDF link annotation
- https://cdn-cms.f-static.net/uploads/4477886/normal_5fe7f05b05836.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4450345/normal_5fc920972bc5a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4460678/normal_6065e7ba42d00.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4388619/normal_6037be4829cd7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367646/normal_604a39d7a518b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4464724/normal_60110754e7372.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4384821/normal_6036a412caf02.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4375199/normal_60b4ad649f9bd.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4384647/normal_5fdde117d5ce4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4371025/normal_604ad1b6a6774.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/1dc84297-2c22-4bd8-abab-257a478b23bb/xudipifiluliwekofewep.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9b5c120b-9beb-42fb-92b9-d5a1cfeed863/reading_body_language_activity.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8ed7a535-ff84-4958-a122-91857270d405/58277803550.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c3b5dafb-dcf6-4a37-8600-c580e22c7374/are_any_stock_markets_open_on_weekends.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8acd2f0f-6242-47bb-a9c3-fe07ef1f20e4/24014576832.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/726d62a4-a8c3-4ba0-8822-88cf7ac8e6a2/mage_leveling_guide_ragnarok_iro.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/76e75837-8b7a-4565-b6eb-689c255c2be3/vagijawuzodibuwuder.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2d671b0a-0328-4b8d-bcfe-d455c6eebd63/99933174057.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/af63d05c-0584-4e8f-967c-cb702108e7e5/mary_poppins_movie_soundtrack_youtube.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/82b8467d-34b9-4778-98e3-faac21cb1fe3/ti-30x_iis_online_emulator.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3c11101a-0804-4247-bef9-b8e7660a844c/the_heir_kiera_cass_full_book.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9d11cc1a-6631-42f9-8b2c-3db39a4d7448/80869588856.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/344edb09-5369-43b9-a29e-dcfe0878339c/download_game_yugioh_forbidden_memories_2_for_android.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/97049096-0eed-4cc5-a469-f104cea8d422/2012_vw_passat_repair_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3c767331-c9cb-43e4-b613-77ab0a321347/44987266040.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00011555.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11555	5272 bytes
SHA-256: `7c857c0013811c8589fffac85f2a71922a169ce5c3116ab856b0189446aadbfa`
`font_01_sfnt_off0001273f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1273F	10904 bytes
SHA-256: `31b3c3caa6722379c8c1211eb2f6087048d70172a33ed4b755435c65420fa82b`

Open this report in the interactive analyzer, or submit your own file for analysis.