PDF malware analysis — malicious · 33681e7571934483

MALICIOUS

PDF

278.8 KB Created: 2021-03-10 09:54:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4f4f34c36ab40ff54eaf76fecb7e1ec1 SHA-1: 4f5beb67c51c70d5f1ca6c5f28f713bb619f4d09 SHA-256: 33681e75719344834cf71a2532a684a9d31b8f51ebc6f520c6de6f20019cad62

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. ClamAV detection and ML classification strongly indicate malicious intent. The document body, though heavily obfuscated, suggests a lure related to a book title, likely to trick users into clicking the malicious link.

Machine Learning

Nyx PDF Classifier malicious score 0.9830

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://jumiwimov.ru/award?keyword=budismo+moderno+vol+3+pdf
- https://cdn.sqhk.co/bemoranoz/jx7DNPV/77922935377.pdf
- https://cdn.sqhk.co/sepunaro/hhf0hcY/wifenakobofotigomajinut.pdf
- https://cdn.sqhk.co/ribobujir/il5VywB/72797866920.pdf
- https://wujawosekeg.weebly.com/uploads/1/3/4/7/134712458/1386074.pdf
- https://cdn.sqhk.co/nivodoruw/5zQ9X8E/bitcoin_mine_life_tycoon_idle_miner_simulator.pdf
- https://cdn.sqhk.co/zaletimerizo/UuhcibZ/64217627183.pdf
- https://pawomasa.weebly.com/uploads/1/3/4/7/134737305/9501709.pdf
- https://cdn.sqhk.co/nowavutu/jhjchhg/58992977765.pdf
- https://wubudonujekud.weebly.com/uploads/1/3/4/5/134524452/101aeba9.pdf
- https://nokurujifeseg.weebly.com/uploads/1/3/4/3/134355409/gegadakavet_xarebafode_sogivo_kigetumevekemov.pdf
- https://cdn.sqhk.co/lomasamube/d31Ajbg/bujedazoka.pdf
- https://gareketekefebon.weebly.com/uploads/1/3/4/6/134695024/da5897.pdf
- https://cdn.sqhk.co/wekaradukuve/iid5gji/dowokilowi.pdf
- https://cdn.sqhk.co/paxelababeg/giSjjUJ/neha_kakkar_songs_video_download.pdf
- https://kovirelumen.weebly.com/uploads/1/3/0/8/130873776/7547438.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/9347398c-8dad-45ec-a6ce-db59752c1b71/supercharging_quantum_touch_advanced_techniques.pdf
- https://uploads.strikinglycdn.com/files/3d3283a7-1db8-4f6f-b19f-4ab9ad02669e/my_cloud_ex2_ultra_ups_compatibility.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00040484.bin` `5969bbd1c65c1183c75baf8c638cd5cc60a3a08705d246d3eea91a3387acb10d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x40484	5248 bytes
`font_01_sfnt_off00041653.bin` `b948b67648e0c4b124636e1d6c479c19ec55ffe8918332c9f88eeb2b504e5d86`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x41653	17768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.