PDF malware analysis — malicious · 39f8f70b7ff62e7f

MALICIOUS

PDF

74.9 KB Created: 2021-04-26 12:49:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 67567b6a3acb1a5b3a9858171766a6a1 SHA-1: 53411cd024bd3be8699ea18b60b040166b8b4488 SHA-256: 39f8f70b7ff62e7f1ca28d2ac3b228aa299f75537b2e5737fd35f7fc402e7f39

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URI pointing to 'xajibur.ru', which is likely the malicious destination. The document body, though heavily obfuscated, suggests a lure related to starting a Zoom meeting, aligning with phishing tactics.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xajibur.ru/strik?utm_term=how+to+start+a+meeting+on+zoom
- https://static.s123-cdn-static.com/uploads/4465010/normal_5fcc8c93ec997.pdf
- https://static.s123-cdn-static.com/uploads/4450038/normal_5ff9c9dd9c566.pdf
- https://cdn.sqhk.co/rosisole/5Aha4uZ/santorini_greece_april_weather.pdf
- https://cdn.sqhk.co/gepumenujeme/dghihie/halloween_costumes_for_kids_boys_fortnite.pdf
- https://cdn-cms.f-static.net/uploads/4491398/normal_603719ff32f02.pdf
- https://cdn.sqhk.co/dujepiwewi/jhiipja/jexak.pdf
- https://cdn.sqhk.co/bufomofa/dm4gj5G/rise_of_kingdoms_lost_crusade_level_17.pdf
- https://cdn.sqhk.co/luwesefizi/ohdjc28/america_s_got_talent_show_golden_buzzer.pdf
- https://cdn-cms.f-static.net/uploads/4388629/normal_5fd792a3181ec.pdf
- https://cdn-cms.f-static.net/uploads/4448713/normal_6058085761f64.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/5f96c0cc-d7fd-4caa-8a7d-c3f3e846837c/23059958626.pdf
- https://uploads.strikinglycdn.com/files/fddc5fe9-1ed4-4587-aec6-8aba2874284d/garp_frm_exam_pass_rate.pdf
- https://s3.amazonaws.com/dedinavesute/xitevo.pdf
- https://uploads.strikinglycdn.com/files/8a3d8705-479f-4fa9-aa27-81e276276c1c/maxtor_onetouch_ii_software.pdf
- https://s3.amazonaws.com/tikofaketonub/implosion_never_lose_hope_apk_mod_revdl.pdf
- https://uploads.strikinglycdn.com/files/28542241-bafc-4292-afef-9b9bf1c37918/why_wont_my_bissell_lift_off_wont_spray_water.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e806.bin` `501c974c3b0613445aa3abeb8fb6f5ca9a1de9d0e2442655c0aa1d9813b448f2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE806	5076 bytes
`font_01_sfnt_off0000f94b.bin` `b1dde4637ba02ee0e02f31f974296c00c73cc1ae6a052c4a522912fdee78f6a7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF94B	10912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.