PDF malware analysis — malicious · 6cf3614d1f03b282

MALICIOUS

PDF

298.1 KB Created: 2020-12-21 04:04:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-12

MD5: 79651fe7589022b8c63fa074552066d9 SHA-1: 9e5557f4040aeacd83c276a55b9c1ab2d0a6f9c5 SHA-256: 6cf3614d1f03b28226869fd02f0779081daed32ffc805b69e0cd8a5e8bc184d9

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that points to a suspicious domain, likely used to host a malicious payload or redirect to a phishing site. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'guidelines'. No scripts were extracted, but the presence of an external URI and the overall detection suggest a phishing or malware delivery attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9807

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffnew.ru/aws?utm_term=esc+guidelines+2019+rivaroxaban PDF link annotation
- https://static.s123-cdn-static.com/uploads/4450340/normal_5fdfd7bf48bc4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4420239/normal_5fa8ace44bf4b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383915/normal_5fb2e42c1dbe9.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4459641/normal_5fd3283a94035.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4462376/normal_5fb77ae35ffba.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4450512/normal_5faf5b43dd188.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/ganubatebedoxez/boat_bill_of_sale_form_california.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc5265da5bc066edfc13395/t/5fcad7501df7590d80d33a04/1607128913452/fps_encounter_real_commando_secret_mission_2020_mod.pdfIn PDF document text
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbd1ae41ea14523495a9dfc/1606228710533/la_prieta_gloria_anzaldua.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc56d9988c99b6d37c5c202/t/5fd6a440e5ac5828962cadba/1607902273860/sogorasaj.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc16425a3bf4b14abaca05c/t/5fc690364f98375720c45cd0/1606848573033/scary_zombie_counter_strike_fps_zombie_shooting_games.pdfIn PDF document text
- https://static1.squarespace.com/static/5fdea684ff074777c984c22e/t/5fdf2908fb7de13a64689c0f/1608460553746/94414552913.pdfIn PDF document text
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf50ff5147b1480429d48b/1606373631544/mododixapepinabodujolog.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0533210d-f244-454a-b21c-a860d24e5a4f/lebanujinis.pdfIn PDF document text
- https://static1.squarespace.com/static/5fdf246b2dcd53187f20af33/t/5fdf8270a3b92b153c39b58e/1608483441042/memazesoxililonuwibuk.pdfIn PDF document text
- https://s3.amazonaws.com/gofiguj/calendario_de_vacunas_2018_argentina.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00044284.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x44284	5816 bytes
SHA-256: `f46909028cce0379bdb98c7691a1d17c7f148171cbfe62b4c2e280b797d26cca`
`font_01_sfnt_off00045669.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x45669	14100 bytes
SHA-256: `8455543c725fb8ddac26d3c442685b7f8102b141044bc0bd85ec3d1c31babeca`
`font_02_sfnt_off00048242.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x48242	16176 bytes
SHA-256: `d5c4435c43af6fa087261d190ae0a867b31240f3ed4c825f0de413216848aa8a`

Open this report in the interactive analyzer, or submit your own file for analysis.