PDF malware analysis — malicious · 3a665649532369c6

MALICIOUS

PDF

75.5 KB Created: 2021-04-29 00:05:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 095562fcc334230748792079aa67dda7 SHA-1: 221149ee7fc2a3e6ba38b51f5f08220c301bea20 SHA-256: 3a665649532369c66c2145109ca6d8fb6207eb466e27e89a78211f977fa0081f

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier, with a high risk score. It contains an embedded URI pointing to 'https://pelibifir.ru/strik?utm_term=how+much+do+safety+specialist+make', which is likely a phishing or malware distribution URL. The document body, though heavily obfuscated, suggests a lure related to job salary information, a common phishing tactic.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://pelibifir.ru/strik?utm_term=how+much+do+safety+specialist+make
- https://robaralimojo.weebly.com/uploads/1/3/0/8/130814718/eada6135bf2ad.pdf
- http://kernig.pro/aunque_tenga_miedo_hagalo_igual_susasiswj.pdf
- http://gazzsheff.xyz/lopekutimasitiluvixa32z.pdf
- http://whitecheat.xyz/street_fighting_movesaas9c.pdf
- http://helpcenterbusiness.xyz/can_you_edit_text_in_paint_3dam409.pdf
- https://pigukoziluluz.weebly.com/uploads/1/3/4/8/134896600/surubasorumurila.pdf
- https://suzeziji.weebly.com/uploads/1/3/0/7/130739492/separojorogudi.pdf
- http://vashastrahovka24.ru/pojuzimuzevijazebepuxedo4c7rl.pdf
- https://nupuwuzom.weebly.com/uploads/1/3/1/4/131438231/91f1a4b.pdf
- http://lavkavkusa.store/xufudeliwopobidikr89j7.pdf
- http://creamspait.xyz/maplestory_bowman_leveling_guiden247n.pdf
- https://viriparerari.weebly.com/uploads/1/3/5/9/135978168/paterajemema.pdf
- http://hamsterbig.com/washington_state_employees_credit_union_medical_lakebbr0t.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/243f77f6-53e4-41d1-9915-12e9b2fdd90a/jikopaxedebekik.pdf
- https://uploads.strikinglycdn.com/files/e4318a3c-d223-4a81-9859-81d932308f11/96749690455.pdf
- https://s3.amazonaws.com/xamibebulosaxug/17976498777.pdf
- https://s3.amazonaws.com/nimuwet/51361965859.pdf
- https://uploads.strikinglycdn.com/files/7c39bbc3-a580-4c93-a6da-8279c509d308/68382288122.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000eb4a.bin` `ea533f58f279a78caae7257f4557d0800692a6317fa616db5d1b5186b11d4798`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEB4A	5520 bytes
`font_01_sfnt_off0000fe05.bin` `3f806e80d3da8f07b245b5604bd6d2cfed3b906f65909cbb1a20e1defaf5f469`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFE05	10296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.