PDF malware analysis — malicious · 643f8c992e29b45f

MALICIOUS

PDF

124.6 KB Created: 2021-05-29 22:44:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24

MD5: 755bacb62863b7d09148c54c280ca4bf SHA-1: ce53a6113b6522a615c50c161aa901d911f93868 SHA-256: 643f8c992e29b45fd50c28f11ee2c85784e21ebe3ce481e1dfe23a40e23b785f

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains an embedded URL that directs users to a suspicious domain, likely for credential harvesting or malware distribution. No scripts were extracted, but the presence of the malicious URL is a strong indicator of a phishing attack.

Machine Learning

Nyx PDF Classifier malicious score 0.9980

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ponafet.ru/strik?utm_term=le+mod%25C3%25A8le+de+l%2527atome+seconde PDF link annotation
- https://cdn-cms.f-static.net/uploads/4420761/normal_6010678169d94.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369928/normal_60274e3a388c3.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4378853/normal_5ffd824b8d37d.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4384164/normal_5ff8b6e2349e0.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4481280/normal_5ffb52c9d7924.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4393029/normal_5fc95b2a5ac29.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4371807/normal_5fccf18121cc0.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4401515/normal_5ff46d5846d51.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4376126/normal_602cd92e62621.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4503874/normal_6060fecd205d3.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4448731/normal_5fdb58255d02f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4459792/normal_603065e23afd2.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4370265/normal_6001103123017.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4485935/normal_6023fae4945de.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4416787/normal_605c2e78070e8.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4389821/normal_5fd6e7d78ad63.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4458413/normal_5fcb6dc47326e.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/42c65d22-da2b-45f7-b5e1-9406f68dd108/panterra_50cc_dirt_bike_motor.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9402790f-335c-4e75-85f1-2297392a17ff/how_to_disconnect_first_alert_security_system.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/827d8e7a-f21e-4363-8110-fbfd654c6a9e/kenmore_top_load_washer_error_code_lf.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f4387cde-66e5-416b-b0ad-e81a556e4d2f/zojirushi_bread_maker_review.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6b42f9d2-da9c-4184-9ea1-c4c7ac372ffa/how_to_overcome_barriers_of_communication_ppt.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3f862569-70bb-4967-895b-09848119a664/tigejuwalojixanotubot.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2163df72-0de5-467c-92bc-92758288d320/jidilodejifap.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a280e80b-ae39-439f-818b-0817aac3a4c8/26724873607.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/01d238bd-3a9b-4dd1-8242-f9af26fc31f7/is_wondershare_tunesgo_free.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001a3d8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1A3D8	5108 bytes
SHA-256: `46fac498492b9ec633212b6b88bd720af52dfb32066cdb1bf7b9d44fd3870528`
`font_01_sfnt_off0001b4e9.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1B4E9	14424 bytes
SHA-256: `5418433a2e1364fde8bc18af0e879d0293f55205151d4b8193970e4c86902abc`

Open this report in the interactive analyzer, or submit your own file for analysis.