PDF malware analysis — malicious · 5d228081b9b16fe0

MALICIOUS

PDF

246.4 KB Created: 2021-03-27 20:31:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20

MD5: 95f17c1773ffb8fad160ca1743027427 SHA-1: 2181d0561b2258652bdcadf272ffe1d39b1834fc SHA-256: 5d228081b9b16fe0387d68e7aa7b1a88e033bf88075febb3438963b6766d63ec

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious content. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing or malware download site. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'Storm king's thunder rune items'.

Machine Learning

Nyx PDF Classifier malicious score 0.9757

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xajibur.ru/strik?utm_term=storm+king%2527s+thunder+rune+items PDF link annotation
- https://kusigalodedi.weebly.com/uploads/1/3/5/9/135965864/5914713.pdfIn PDF document text
- http://afracheat8.xyz/tiwofov5kd6s.pdfIn PDF document text
- https://wekimede.weebly.com/uploads/1/3/4/8/134862148/vejel-kobilikijeg-kipena.pdfIn PDF document text
- https://xujopikaxatanow.weebly.com/uploads/1/3/4/8/134850499/batabawowegaf.pdfIn PDF document text
- https://xomitemekebok.weebly.com/uploads/1/3/4/8/134881854/3bf9d8f.pdfIn PDF document text
- http://sandwichhq.club/483345551527xwiy.pdfIn PDF document text
- http://getsalle.xyz/escmid_guidelines_pneumoniar15xf.pdfIn PDF document text
- https://figokafudifugi.weebly.com/uploads/1/3/1/3/131383964/wutavodek.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/radubozufiwo/junuv.pdfIn PDF document text
- https://s3.amazonaws.com/vovuzize/tojuriwefovixulazozon.pdfIn PDF document text
- http://jepojofugag.rf.gd/wugiditowut.pdfIn PDF document text
- https://s3.amazonaws.com/wizuluworafid/java_8_download_mac_os.pdfIn PDF document text
- https://s3.amazonaws.com/nutanigonu/gitofetibadifuzoxeku.pdfIn PDF document text
- https://s3.amazonaws.com/fodose/how_do_you_change_a_transmission_temperature_sensor.pdfIn PDF document text
- https://s3.amazonaws.com/zasepo/english_short_stories_for_beginners_with_pictures.pdfIn PDF document text
- https://4eff3ec4-d147-45d1-be73-876d9e1d0019.filesusr.com/ugd/efb3f0_74e3c2d7f168450a8196aeed4aaf2dfe.pdf?index=trueIn PDF document text
- https://459fb65c-52af-4c88-885a-43a44fbeaf25.filesusr.com/ugd/6a7407_fcefa581adb44111a14e86cbe6be7d56.pdf?index=trueIn PDF document text
- http://lexupatomenoj.epizy.com/41930822597.pdfIn PDF document text
- http://wigugagekubog.rf.gd/xetebolexikevepubitule.pdfIn PDF document text
- https://700ceb37-22d2-47c5-9888-d858af679aee.filesusr.com/ugd/c345b0_680339d2cddc47b08db6715381693911.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/julaxel/58821553681.pdfIn PDF document text
- http://worugapefa.epizy.com/dusk_till_dawn_sheet_music.pdfIn PDF document text
- https://f4b9ed98-44c1-44e6-9966-d9817cd43de7.filesusr.com/ugd/9ced5d_140d1f22f27f439c8e6af4d72a19c1db.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00037d3c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x37D3C	5200 bytes
SHA-256: `72801b60b8f7fc43cb0c1343e1b2cfb839257ce86d1ea139093d73efc56d20b5`
`font_01_sfnt_off00038ec5.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x38EC5	11192 bytes
SHA-256: `2390da692dd346d742225f42c7ae1de4e0134367865999b5573566b24b2a3152`
`font_02_sfnt_off0003b52b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3B52B	16232 bytes
SHA-256: `f9e711f2bfa3a8b6ac2e655ede59d1153c5b1845b6ef0bf43f0f7514c3c7ee70`

Open this report in the interactive analyzer, or submit your own file for analysis.