PDF malware analysis — malicious · 44fb649c3a507fca

MALICIOUS

PDF

63.9 KB Created: 2020-12-16 02:08:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 725ed190578ad42f51d5e8dbba97426e SHA-1: 5e6265afd21735dc5affe9c48b4295685ef2cadc SHA-256: 44fb649c3a507fca1ab6fc0bb4dcac91f0816a1c02c9e5a329e148a4fde28677

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. The document body, though heavily obfuscated, contains text suggesting a lure for a movie song, and an external URI pointing to a suspicious domain was extracted. This indicates a phishing attempt designed to trick users into visiting a malicious URL.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffnew.ru/aws?utm_term=once+more+movie+video+song
- https://static.s123-cdn-static.com/uploads/4380214/normal_5fc54b6545302.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fc1a7c51c8c741314372d70/t/5fcbd3e6da45e86ccaae8fa7/1607193576063/52453144731.pdf
- https://static1.squarespace.com/static/5fc2ac42a5bc066edfb10807/t/5fc813776652ad59ec198057/1606947703968/road_trip_movie_download_in_tamil_isaimini.pdf
- https://s3.amazonaws.com/figidireki/ipagal_movies_bollywood_2017.pdf
- https://static1.squarespace.com/static/5fc6afc95e8e827d42b66858/t/5fc8596e46ef2e08cbb331a4/1606965615171/bumevurezijis.pdf
- https://s3.amazonaws.com/zuguvoxoki/sasam.pdf
- https://s3.amazonaws.com/wilugugo/vativezefasedebosudujakit.pdf
- https://s3.amazonaws.com/xidulumexi/59637617376.pdf
- https://s3.amazonaws.com/risalenefazozo/canva_marketing_proposal_template.pdf
- https://static1.squarespace.com/static/5fc29fc08787e879897709a8/t/5fcd080974a40730fb9d17be/1607272458533/37525911060.pdf
- https://static1.squarespace.com/static/5fc71f15eddbb05c68937f14/t/5fcd0998a87f9f1b19dd39ed/1607272857445/prison_break_season_5_netflix_release.pdf
- https://static1.squarespace.com/static/5fc0bd728787e879896b3111/t/5fc0df46a97599144e17943a/1606475592184/paintshop_pro_x9_vs_2019.pdf
- https://uploads.strikinglycdn.com/files/4dae9317-be82-4add-9d9a-752b47634eff/the_boy_in_the_striped_pyjamas_gretels_room.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000bd8a.bin` `55f6c8b40bfc3249ef7ac64e520df201ba85db71baaab54f8642f26fce77c13f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBD8A	5104 bytes
`font_01_sfnt_off0000ced6.bin` `93dde5de4e0c8812d2f0bce2852b80733179b0d0a025fa1fc1be22fb9237a1f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCED6	10764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.