PDF malware analysis — malicious · 75e123d8933b7842

MALICIOUS

PDF

74.2 KB Created: 2021-06-10 15:46:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27

MD5: a838a31dbc792b652440a7d2a25939ea SHA-1: 64e60ddcc8afb62becdaf0e6b37796521b4381be SHA-256: 75e123d8933b78422da1217bdf92a5eeed522d244c5db22096ff93640b273afd

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, contains references to 'Tractor game download apk 2020', suggesting a lure to download software.

Machine Learning

Nyx PDF Classifier malicious score 0.9960

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://medvor.ru/pbw?utm_term=tractor+game+download+apk+2020 PDF link annotation
- https://static.s123-cdn-static.com/uploads/4421612/normal_5fc95633b27ac.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4467285/normal_5ffcc817c7467.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4446494/normal_6006c6f563544.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4480878/normal_5fdefb610d15a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383136/normal_60339b57788ab.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4463807/normal_601de7f06c45b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4369313/normal_5ff1880bdad69.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4427080/normal_605a4ed741e4a.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4505363/normal_5fe163551d90a.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/33ba327f-33d8-464c-81f1-57d4e3604cb1/37453146133.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bf76835e-11ab-4c21-88b3-a3025b3eec06/the_girl_with_the_dragon_tattoo_cast_2009.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6b8da82b-8d41-4188-8d74-1eeb98090a24/60994554041.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/be183fb8-ec84-41b9-a555-b1299dd7099c/self_leadership_and_the_one_minute_manager_book_review.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ab6263c0-1ceb-4392-9c60-935332aeb92a/gatugupun.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5b32b214-454d-4f0c-b838-d356800b7f90/civil_engineering_books_in_tamil.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f4e183c6-e992-42f9-a5b5-1f7ec5827efa/kazer.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/65225f79-dada-4c5a-aef4-dd5e4dd625cf/net_interview_questions_for_3_years_experience.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c93a8a3a-46e9-41e4-9ee5-8cd6cab26e53/mechanical_engineering_colleges_in_vadodara.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/28bb43cb-54c9-4399-85f2-40ade4821622/10867718598.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aa12944a-0dc0-4234-a395-259c7711e07c/microbe_2nd_ed.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9caace33-20bb-4241-8922-832a5c059560/dosajaziwabofemapepibitub.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ae848b40-521f-4d22-97a9-9337e3e2bb74/7269076228.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0b9d6e5e-b65e-4718-9b28-754952ad0f27/grey_el_james_audiobook_youtube.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f6d9f99a-6893-4715-b7b0-9b463ce75681/who_invented_blow_up_dolls.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b0f935a3-6156-4780-93d8-83b420c48f65/how_to_cheat_with_tegrity.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7c2e7b0f-7f58-4ef4-b327-60fe474b8f27/ruvaxa.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e3ba.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE3BA	5596 bytes
SHA-256: `d20b70fd2c96521811f46e2533c0c95e86b17eefe71daa51991e459ea062b70a`
`font_01_sfnt_off0000f6bb.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF6BB	10676 bytes
SHA-256: `ec233b9f723fe920008e7484d6a53a9bd4b135113459267a26e2f6d5d7cba7e2`

Open this report in the interactive analyzer, or submit your own file for analysis.