PDF malware analysis — malicious · 3ac0fc91eb36c4e4

MALICIOUS

PDF

85.7 KB Created: 2021-03-23 11:50:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 05df7cd30c011ef80457663b2dfad374 SHA-1: a79619353513cbbbfc4616d87d61abd1af64af93 SHA-256: 3ac0fc91eb36c4e4cc929441411cdbc20710e2e92684d7242c11a638d556fc14

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by multiple heuristics and a machine learning classifier. It contains an embedded URI pointing to 'https://xajibur.ru/award?keyword=beowulf+pdf+raffel', which is a strong indicator of a phishing or malware distribution attempt. The PDF structure and content, though partially obfuscated, suggest a lure to external content.

Machine Learning

Nyx PDF Classifier malicious score 0.9353

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xajibur.ru/award?keyword=beowulf+pdf+raffel
- http://sadovik.me/memory_map_bike_gps_review1ux7x.pdf
- http://2220202.ru/math_worksheet_for_6th_gradeg0p75.pdf
- http://dimax-matrasy.ru/que_haras_si_no_tuvieras_miedo_libro_gratisfnfcg.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/norozovijalu/kurebuwozirosadelu.pdf
- https://s3.amazonaws.com/solonebosop/butterfly_wings_template_printable.pdf
- https://uploads.strikinglycdn.com/files/81a3ce0e-c02a-415c-a31e-31ab42029d6f/durga_kavach_lyrics_in_sanskrit.pdf
- https://uploads.strikinglycdn.com/files/b5281f9d-52a7-4111-a397-d47912cd7fb5/58586842186.pdf
- https://s3.amazonaws.com/toguvaju/hand_reading_astrology_in_hindi.pdf
- https://s3.amazonaws.com/defipedibe/zelda_twilight_princess_manga_band_6_erscheinungsdatum.pdf
- https://s3.amazonaws.com/didowugorokirug/project_management_books_for_mba.pdf
- https://s3.amazonaws.com/jutenojamega/antivirus_essential_microsoft.pdf
- https://s3.amazonaws.com/bipepezuwed/esmo_treatment_guidelines_breast_cancer.pdf
- https://s3.amazonaws.com/kovozenamofox/zozegajijiguzevepor.pdf
- https://uploads.strikinglycdn.com/files/137fc582-1e2b-4395-8598-0ccf56f00224/99578129590.pdf
- https://s3.amazonaws.com/xovekolamoxe/murray_push_mower_oil_drain_plug.pdf
- https://s3.amazonaws.com/tuletivotarupu/game_of_thrones_sheet_music_trumpet.pdf
- https://s3.amazonaws.com/desekusoxi/different_branches_of_psychology.pdf
- https://s3.amazonaws.com/kawotexulozax/any_video_by_link.pdf
- https://uploads.strikinglycdn.com/files/5a55fce8-9f79-4f8f-95b2-395ddbca48e1/78653269937.pdf
- https://s3.amazonaws.com/wakuzidi/brother_p_touch_900w.pdf
- https://s3.amazonaws.com/kulinisokakewi/94840070956.pdf
- https://s3.amazonaws.com/juvuraguvutoxif/kindle_format_auf_iphone.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000119e6.bin` `3729b4c1cee1dabc635f2d6846f8936dfdb8e04a54820a98d171fbeae84b95f5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x119E6	4996 bytes
`font_01_sfnt_off00012b0d.bin` `5bb8dbe81095cde21ee9f357cc157911e17a73af3553d9f7efd89c9a4e490533`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12B0D	12572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.