PDF malware analysis — malicious · 48b5d4b7da21a3fc

MALICIOUS

PDF

67.2 KB Created: 2020-11-18 11:57:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 983e4c35fbe4f075b5d7037300b71bda SHA-1: 7bb71fcd7bc6d6ddbdc5fc3e3e9a6dd474f94d45 SHA-256: 48b5d4b7da21a3fc9ebb85c4fa308cdbcd66d594e027d9a68a2c62aa47a90483

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs to a suspicious domain, likely intended to lure the user into a phishing or malware download site. No scripts were extracted, but the PDF structure and embedded URI indicate a phishing attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafficel.ru/strik?utm_term=brian+queer+as+folk
- https://cdn-cms.f-static.net/uploads/4367905/normal_5f8764a4f3eaf.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/1b6bb0f9-8da1-4303-a43a-963ba1932524/86486584155.pdf
- https://uploads.strikinglycdn.com/files/0647633b-d82e-4e14-9c04-fd0300cc1e6c/representao_porta_correr_planta_baixa.pdf
- https://s3.amazonaws.com/luxelula/91544082502.pdf
- https://uploads.strikinglycdn.com/files/73defae9-04b0-4bbe-8a17-97f11961afa2/manualidades_para_mam.pdf
- https://s3.amazonaws.com/mefadedosuw/13761201760.pdf
- https://s3.amazonaws.com/wizidimawag/38064357167.pdf
- https://s3.amazonaws.com/kewakuko/al_waqiah.pdf
- https://uploads.strikinglycdn.com/files/7cd56357-a786-41f2-a1ab-9ace3824e575/but_in_all_things_pray.pdf
- https://uploads.strikinglycdn.com/files/7e6e6f13-2b14-4118-9dd4-3a5fded9860c/uber_roadshow_presentation.pdf
- https://uploads.strikinglycdn.com/files/7b876fd8-372b-4bd7-b6b0-d715363e9077/lazejawusoxul.pdf
- https://uploads.strikinglycdn.com/files/6ae9480d-3c6a-438a-81c7-7ef6dc59957b/24340817922.pdf
- https://uploads.strikinglycdn.com/files/c78538cc-2039-45c2-8ada-81b65dc75293/vazudeforubidisuxadutivim.pdf
- https://uploads.strikinglycdn.com/files/3c1a0bec-b323-4285-a0f7-9a1fe2428591/mixazeva.pdf
- https://uploads.strikinglycdn.com/files/59e7b36d-e0a6-4790-ad10-c99ec45c8735/cnn_10_december_13_2019.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000cb89.bin` `4bdc108c4ace9a4a2eec6fc83a54d6ee49e4f446b3fbe373c69f50460cba0bc7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCB89	5000 bytes
`font_01_sfnt_off0000dc9f.bin` `828b19a7ef1571afc2bd132b6b4699122d67ecff9fac3c9b5e807a1ff6605c06`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDC9F	10452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.