PDF malware analysis — malicious · 6dee6b4af189954e

MALICIOUS

PDF

122.8 KB Created: 2021-02-18 20:46:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d142a68945f0790450959e0bb0935988 SHA-1: 7788dbde7d773cced4a8ae06a6881de8b2264103 SHA-256: 6dee6b4af189954e5639a1373636638cacb6c2fde12c7adfa1541c64daa8e50f

136 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, and heuristics indicate it uses an advance-fee scam lure. The embedded URLs suggest it may download further malicious content, likely a second-stage payload, which is a common tactic for phishing documents.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://maypoin.ru/wix?keyword=schedule+d+28+rate+gain+worksheet
- https://cdn.sqhk.co/wikaraxixi/B0ihjcO/57931676883.pdf
- http://boomua.site/mechanical_keyboard_amazon_prime_day3y57t.pdf
- https://medogizelolu.weebly.com/uploads/1/3/1/0/131070938/mibivunew_zozememewedibod.pdf
- http://help-copyrightviolationhelpcenter.com/leaf_and_flower_anatomy_worksheet_answersj7dkk.pdf
- http://songkfrk.site/688108142474ysuw.pdf
- https://wejobufobugof.weebly.com/uploads/1/3/5/3/135348322/b26d72dd0.pdf
- https://rulafowobunafo.weebly.com/uploads/1/3/5/3/135391395/6568049.pdf
- http://milansit.space/super_granny_pc_game_freeirq6v.pdf
- http://lazadacostumercenter.com/798109001693jjxu.pdf
- http://abwaab.su/cv_template_word_gratis_enzv2cg.pdf
- http://13millions.store/blue_planet_world_biomes_webquest_answer_keyot211.pdf
- http://craftsmansmetics.com/walking_with_dinosaurs_ielts_answergh75v.pdf
- http://vulgargirls.fun/cara_menyelesaikan_score_hero_level_4006d0ur.pdf
- http://cashfree.store/yaddanapudi_sulochana_rani5cahi.pdf
- https://kasababafaraw.weebly.com/uploads/1/3/5/3/135336348/b9d4a5e5.pdf
- https://xunitaminovo.weebly.com/uploads/1/3/5/3/135349323/gomonavamev.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001a5db.bin` `a69bfcd457af5e0294e0a76c98af88d7515e67022f1e5e6d6b5327441f3e5f4b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1A5DB	5788 bytes
`font_01_sfnt_off0001b992.bin` `072424d8026e0a5e7425d178118869b9c265467cbc0fa00dca755fa1e6207b50`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1B992	10660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.