PDF malware analysis — malicious · 71c4927cb69600d6

MALICIOUS

PDF

66.2 KB Created: 2020-12-21 22:00:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d245ba917a82b2526c76e815803538d2 SHA-1: be1652fd1a1632c9b795ebcd79879b02476ad43b SHA-256: 71c4927cb69600d6143bbf661e18773d0b3271f9689ca6d64c175fc6cbf10ab2

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The embedded URL, 'https://traffine.ru/strik?utm_term=superhero+captain+x+vs+kungfu+lee+mod+apk', suggests a phishing or social engineering lure, likely attempting to trick users into downloading malware disguised as a game mod. No scripts were extracted, but the PDF structure and URL are sufficient to infer a phishing attack pattern.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffine.ru/strik?utm_term=superhero+captain+x+vs+kungfu+lee+mod+apk
- https://cdn-cms.f-static.net/uploads/4369653/normal_5fdb7ead868a7.pdf
- https://cdn-cms.f-static.net/uploads/4417817/normal_5fa4fa1b4644e.pdf
- https://cdn-cms.f-static.net/uploads/4460255/normal_5fd7d06f71570.pdf
- https://static.s123-cdn-static.com/uploads/4489033/normal_5fc99e45bda87.pdf
- https://cdn-cms.f-static.net/uploads/4366034/normal_5f890d231008a.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/geraromu/45197794445.pdf
- https://s3.amazonaws.com/rekorewexidiwo/diliwizo.pdf
- https://s3.amazonaws.com/lusabifef/75008242589.pdf
- https://uploads.strikinglycdn.com/files/4e6997f0-c52f-46e0-9b65-aa911c32eb72/moral_reconation_therapy_workbook_answers.pdf
- https://uploads.strikinglycdn.com/files/ab0d8025-7cb1-4ba9-b210-663339506c0d/south_mountain_community_church_south_jordan.pdf
- https://uploads.strikinglycdn.com/files/75291e56-e29a-46a6-b46d-96ba1bcc52a6/wezulamupeda.pdf
- https://uploads.strikinglycdn.com/files/203e9b02-d3c4-4b49-82ce-e8a04dc963ad/clash_royale_apk_hack_happymod.pdf
- https://s3.amazonaws.com/wexoteluwag/sexifefovafuxiw.pdf
- https://s3.amazonaws.com/puretulenuza/bhai_cha_birthday_hd_video_song.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c285.bin` `2ffac99e45980418c6c6356737945cabf76fc546b5f1686c835e6461c75fccbd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC285	5864 bytes
`font_01_sfnt_off0000d65c.bin` `cdb14f2e4ed1b872251821b729b4fad1167621b416954f171f02e11f1c3b120b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD65C	10932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.