PDF malware analysis — malicious · 65206d5b48b3d5d8

MALICIOUS

PDF

74.6 KB Created: 2021-06-02 06:51:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25

MD5: 85c437df50032722ddebf8ba0e6b6e04 SHA-1: 9bbdfed7119c76efa0d0a3efdf35b95cc3aae5da SHA-256: 65206d5b48b3d5d851199931078cf1019a20a3f2d94ef65911fe6ffa4ba06abb

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically identified as a phishing trojan. It contains an embedded URL that leads to a suspicious domain, suggesting a phishing or scam attempt. The document body, though heavily obfuscated, contains fragments that hint at a lure related to 'thinkorswim free', further supporting the phishing pretext.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://pistant.ru/pbw?utm_term=is+thinkorswim+free PDF link annotation
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://bujolajoxek.pbworks.com/w/file/fetch/144489303/62540597871.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2e448415-5274-4f0b-a79a-515fba6d244a/how_to_write_a_cultural_identity_essay.pdfIn PDF document text
- http://viluxese.pbworks.com/f/40701879565.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/eb1a5dd0-69e5-4b3e-93d6-ff2c7678dd84/dirt_devil_versa_cordless_3-in-1_stick_vacuum.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/00259d34-f1c4-40be-a78c-4d3f8bc82b68/dexupomizasa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bbee531b-5b76-4ed3-b976-7e01c8601f7b/rarotoguwojusitumemimesum.pdfIn PDF document text
- http://negovijalulu.pbworks.com/w/file/fetch/144419103/vagebaxixa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0c695767-59a0-416d-a271-aa236cb3e544/how_long_do_i_cook_a_2.5_lb_roast_in_the_crock_pot.pdfIn PDF document text
- http://xojifot.pbworks.com/w/file/fetch/144426468/83050369001.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/174d31b1-1e3f-4165-8545-e38ef74a6bf5/brs_pathology_latest_edition.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0665871d-38c4-4319-a5c1-6b00f4df4f35/why_is_my_mac_saying_my_printer_is_offline.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f52ab328-03ed-48bc-9219-c45c977ffa25/xududozasetipifonegona.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5d76899d-e19e-40cd-b6b6-a0fbafc890a5/23067153201.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fe79a377-959b-439c-84d0-54c8d020b5eb/38462825083.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/98eecd53-1a6f-473f-b234-502b304130a1/what_happens_to_liam_in_the_darkest_minds.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5020ee6b-8f42-43a2-bf48-c6630f9965c6/27513550374.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c807f448-4f35-493c-ac34-c892b987a411/como_usar_una_maquina_de_coser_singer_antigua.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/17df5df9-20c5-4d07-a9d6-4a70f1ec0940/how_much_does_it_cost_to_have_unlimited_data_on_att.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/40543945-ef51-416b-b5f2-38b7c4da8aa4/reproductive_system_definition_simple.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e543.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE543	4856 bytes
SHA-256: `eccfca13435abbc57424229324c651db2b11ead2d5c16fefaefde9eab03e86c7`
`font_01_sfnt_off0000f5b2.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF5B2	11408 bytes
SHA-256: `779efb634f2e0bb59de972280e9c6c2cbe86e6fb657cb875ad54e4d1aa8311fd`

Open this report in the interactive analyzer, or submit your own file for analysis.