PDF malware analysis — malicious · 3d0f80008669af97

MALICIOUS

PDF

79.6 KB Created: 2021-04-12 18:10:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 718408e698f3e0a8e6f60e687474c48c SHA-1: 2becd2a97bda7ea5798bed945bb945f8299be483 SHA-256: 3d0f80008669af97f868cc0184587534c49dde7631c3a588d18196a63cb33a68

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that redirects to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The document body, though heavily obfuscated, suggests a lure related to 'The knight in rusty armor' to entice users to click the malicious link. No scripts were extracted, but the presence of an external URI and the ML classifier's high confidence indicate a phishing attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://seumenha.ru/strik?utm_term=the+knight+in+rusty+armor+summary
- https://cdn.sqhk.co/zodavujera/PAghFgi/kawenosulomuro.pdf
- https://cdn.sqhk.co/tokofape/fjielCc/14078359752.pdf
- https://cdn.sqhk.co/kusamika/iDggHie/39938343393.pdf
- http://svoylend.xyz/4139926183008yg8.pdf
- https://cdn.sqhk.co/nizufalagef/bibghhi/manapakkam_kanniyamman_kovil.pdf
- https://cdn.sqhk.co/kogeledewafo/iiobvai/slot_machine_jammer_emp_diagram.pdf
- http://fruitnaturs.space/vafiwusubomukoluyu4t9.pdf
- https://cdn.sqhk.co/rekubapapup/gdvhiig/69153368262.pdf
- https://cdn.sqhk.co/vojofarakiva/BgeMXQ8/hades_star_planet_chance.pdf
- http://bupetud.xyz/literary_devices_bookmlt33.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/penale/29932270525.pdf
- http://ledaruwevegoxu.onlinewebshop.net/nakulipalavowovenesusa.pdf
- https://s3.amazonaws.com/dobikasukavu/computer_basic_full_form_list.pdf
- https://f803bf1b-e1c2-47f6-a41f-c9785c88fbd4.filesusr.com/ugd/bf07b1_e33032fd7d094d009a91da60cfe64274.pdf?index=true
- http://malejubu.myartsonline.com/brussels_train_map.pdf
- https://s3.amazonaws.com/poresi/41992710284.pdf
- https://8f6f9f04-f977-4239-955d-f6aecf2dd879.filesusr.com/ugd/81cd61_6ad6b2c3157f47459654b087a1cb3b0c.pdf?index=true
- https://s3.amazonaws.com/dibedamoka/95687893299.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000fa50.bin` `6c6ea1ed4b5a5115144c2759dddf8b48022c2c86959d5f70dd75142c8f220a48`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFA50	5184 bytes
`font_01_sfnt_off00010bd3.bin` `6e4164723140e6461abe49b3ab55949af0db751525695bb2b0bc72fd9b1e9e3b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10BD3	10600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.