PDF malware analysis — malicious · 45687cfebdb46262

MALICIOUS

PDF

79.0 KB Created: 2021-05-22 16:56:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25

MD5: cfad60e3aa67fcf17cd56858ffbcfef4 SHA-1: 0a241af08ea14fcb4f7e984f751c67434c32858b SHA-256: 45687cfebdb46262f07e735abf19c6ebf38e00b53f4ec7132d9641c2b0330414

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The embedded document body and extracted URL suggest a lure to download an application, likely malicious. No scripts were extracted, but the presence of an external URI points to a potential download or redirection attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9954

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://resalured.ru/strik?utm_term=como+descargar+geometry+dash+2.11+para+android+gratis PDF link annotation
- https://cdn-cms.f-static.net/uploads/4459055/normal_60239616362c1.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4489429/normal_5feb246dba7cc.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4446776/normal_60501e62a5181.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4418777/normal_5fdb29504a8a1.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4386086/normal_60292db2e6be0.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/97340c71-553c-415e-8798-adf907aa6e1c/most_frequent_gre_words.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8175c92c-176e-4d18-9352-cba0bd65bc6f/8826414819.pdfIn PDF document text
- https://s3.amazonaws.com/wewiro/free_email_advertising_templates.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/860881e6-6681-4045-ab6c-eb567cf14c7a/dupuronuritodemiso.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5d880d29-65d7-4503-8678-d70b4715cc09/55210615387.pdfIn PDF document text
- https://s3.amazonaws.com/lakadutof/ncaa_division_2_universities_in_california.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b8a57df3-e8a8-4737-86df-c6771e9270fe/99507668862.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5923d133-755d-408b-b759-25fb168b10d4/miwavasofixitemoru.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dbb657ca-821d-410d-b43d-e802c0830c80/nuxudijipoluni.pdfIn PDF document text
- https://s3.amazonaws.com/fofeguj/41870581075.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6fc1c3a9-b7a7-45c5-bbc9-0c75c446e124/vinozofupanimimi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/31493718-8647-4bbd-a8a6-03e2a5fa052e/swann_cctv_systems_for_sale.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/37936a8d-6e06-4490-90cb-b1404e8c4762/3814440414.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/04bbc543-2fd1-42f6-9407-533b5447f9aa/12047158260.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dacd01bc-4240-4777-9db0-cdbdd984271a/vevegukumiwepekev.pdfIn PDF document text
- https://s3.amazonaws.com/dejazuvorira/6877923412.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/97eff8f6-4cae-4eab-b50b-136af67b32b0/how_to_replace_battery_on_cyberpower_550va.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d5ab89ab-5c1b-4a50-8fe3-e3c85f1f6599/rewawigagavesipexepa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/38ba9cb9-4d86-431d-b889-336721feaab2/2004_kawasaki_vulcan_nomad_1500_service_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2e829034-8449-47bc-b9a7-89f8accb59bb/forged_in_fire_steak_knives_walmart.pdfIn PDF document text
- https://s3.amazonaws.com/ziwuvijevo/bajirao_mastani_full_movie_720p_filmywap.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e8bc.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE8BC	2880 bytes
SHA-256: `b90b109c34db9b2d961be312c0c64f13ba4f5af9c83d6ae4556a72cb7f468167`
`font_01_sfnt_off0000f2fa.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF2FA	5680 bytes
SHA-256: `b921857e32d6d2390d2c3086102964e172dc739b4d5af3bd3a29f62f480cc274`
`font_02_sfnt_off00010630.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10630	11388 bytes
SHA-256: `c67add191a6a934cc6faf30babf2aa9c8904f25c5d9d33c8e1590f52d86142bb`

Open this report in the interactive analyzer, or submit your own file for analysis.