PDF malware analysis — malicious · 2d85cd886455b4bc

MALICIOUS

PDF

82.8 KB Created: 2021-06-12 21:05:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25

MD5: 9fe40aedbec6657bcd7376b6c7ee20c6 SHA-1: 75a27ba90074b151fdbc6911ba73252153844660 SHA-256: 2d85cd886455b4bc8a1b1b23d8ee0bfc0c5cbce92dba7c496a239c8d54431bbd

144 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a lure related to a "Pokemon platinum fusion rom hack" and a high-risk heuristic indicating it's a phishing/malicious document. It also embeds a URL that redirects to a download page, suggesting it's designed to trick users into downloading a payload. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://wastran.ru/pbw?utm_term=pokemon+platinum+fusion+rom+hack PDF link annotation
- https://cdn-cms.f-static.net/uploads/4443810/normal_5fdaaca8e6725.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4427313/normal_604e44f31412a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4470218/normal_605c484a5c6fc.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4448731/normal_5fee1c4745e36.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4447098/normal_605fb64042476.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4389816/normal_5ffe4a91a6d54.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4426954/normal_5fc8c38c4853a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4444875/normal_6060b6c54f3f6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4413978/normal_6028a838e6fa1.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4447915/normal_603bab4d1ff19.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4427093/normal_5fdd3434d3c47.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4466673/normal_600a3b172d3d3.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/7d1bf017-729f-4598-b30d-34956164c728/fabanunolomofuroratude.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3b308ecf-bad2-4da9-ac25-fe6cc0a10b85/how_do_i_schedule_a_tattoo_appointment.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2019b7fd-2a65-4a18-9ac2-ce516156cb65/la_ferme_aux_animaux_rsum_par_chapitre.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e4bc895d-aae8-4ef8-83ca-b5ad891757bf/32147707634.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f68fde60-ce6f-4175-9f98-77e2138f6eae/intro_to_statistics_worksheet.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8283f154-1f0c-47e7-9bda-11582f0ce443/samsung_galaxy_s9_plus_specifications_and_features.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ece19800-be79-4683-9cff-749dddd78f65/zodapiwijusuxasav.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/35cb65ea-57bb-48f9-baa5-29587b36418f/how_many_quarts_of_oil_does_a_6.7_ford_hold.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000104d9.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x104D9	5320 bytes
SHA-256: `974906d01d54a6401b39d8e8a08d861f14579600c8c4bcd88cb2ab3f043d2ee3`
`font_01_sfnt_off000116ce.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x116CE	11248 bytes
SHA-256: `3849306089854c55241150e7f07546105db9741517e90ae3ee51e57e9bbd5db0`

Open this report in the interactive analyzer, or submit your own file for analysis.