PDF malware analysis — malicious · 72b40bfb71a47e72

MALICIOUS

PDF

91.8 KB Created: 2021-06-07 22:18:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18

MD5: a7bd82a23480213bbe7df73dab8c64aa SHA-1: b24d900e86a5597c1bf89c3bfec65aa70bf6aee0 SHA-256: 72b40bfb71a47e727feefd04029ca13eb16757c8e4c04a3f6dffd2dce2d2241a

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URI pointing to 'golowaki.ru', which is likely used to host or redirect to a malicious payload. The document's content, though heavily obfuscated, suggests a lure related to a PDF download, aligning with a phishing attack pattern.

Machine Learning

Nyx PDF Classifier malicious score 0.9992

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://golowaki.ru/123?utm_term=allegory+in+lord+of+the+flies+pdf PDF link annotation
- https://static.s123-cdn-static.com/uploads/4459921/normal_6005f6fab0135.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4475571/normal_5ff8ae90ecf67.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4470678/normal_60614a3318e1b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4473622/normal_605a171b91b3e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4479460/normal_6031f264b8e77.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4378830/normal_603d0694f1b72.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4420441/normal_606d2d399c3a6.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4418570/normal_60b2f356de25f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4447280/normal_60282344b2fb4.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4481056/normal_60b2e82370e5a.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4420761/normal_5fee692f37108.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/0acbc305-6c5d-4e47-9f5d-b1fa504bddee/codex_craftworlds_8th_espaol.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9c325b1c-88d7-45d2-b929-63cfc3639082/teliwilizomiseza.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dc735e16-cf1d-46cf-a113-0d9f36b7554e/how_can_you_listen_to_music_while_swimming.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/01bd7488-c1ec-43c0-a59b-e21e4e6b68cc/96505501632.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1d026fcb-2350-429f-b3a1-8f4e3eea5507/64470902152.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/395d754b-fc12-4cd4-9cd7-99134901e2c0/best_gps_changer_for_pokemon_go.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ee4a99eb-77b3-43fc-95d7-cfa76a0ba1f3/15554024981.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/79d393a1-4cda-4ab9-9754-6e3bcf9b6ef4/lidepojim.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9afa9fb5-0fdd-4b19-9c46-86c3717eb79a/best_mossberg_590_tactical_stock.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8bb748e8-251c-43bf-84ef-a448e54787fb/flowers_to_plant_in_florida_in_october.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/78d7e478-e534-4976-a24e-d4579363377f/17606455028.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7e531e5a-f6a6-4d2c-bed7-fc820dcebd2e/is_it_normal_for_my_puppy_to_run_sideways.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/84eb4ad2-bba4-44dd-bd8f-b9c541c15085/do_peptides_work_for_muscle_growth.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00012907.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12907	5184 bytes
SHA-256: `4ff213de8780355f8019cda2730a011fdf36ba2889e03e02cfbdf8b6f2430f9d`
`font_01_sfnt_off00013ab6.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13AB6	10956 bytes
SHA-256: `ad6df5a2e8032a9869acf7feeec090c23f285a6f25cff002e65c5c128fda2390`

Open this report in the interactive analyzer, or submit your own file for analysis.