PDF malware analysis — malicious · 778fd0914d65ecab

MALICIOUS

PDF

69.3 KB Created: 2020-12-18 13:00:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5d0339e6405bdb4730443c0dceb97b51 SHA-1: 76e2eb055e9d8b95c855c1203f1c93637128070e SHA-256: 778fd0914d65ecab77630c325fa930aa6408ebf3ab5b700b5b32557360dbb70a

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating the presence of external URIs and is flagged by a machine learning classifier and ClamAV as malicious. The embedded URL points to a domain that appears to be part of a phishing or malware distribution scheme, disguised as a free download for a car manual. No scripts were extracted, but the overall structure and URL suggest a phishing attempt to deliver a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafffi.ru/strik?utm_term=2007+bmw+x3+owners+manual+free+download
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fc689fec14dfd36fe18787c/t/5fd6ca99e5ac582896321342/1607912089519/metulamobedap.pdf
- https://uploads.strikinglycdn.com/files/687ac9ab-9de9-4f0c-b379-5c025130c105/werera.pdf
- https://static1.squarespace.com/static/5fc0fd9af9866f3fd2d4d777/t/5fc1af423485235c8605e975/1606528834481/tozufemuriba.pdf
- https://uploads.strikinglycdn.com/files/3cb8584a-adcf-4b6e-ac98-69056668e036/59073893173.pdf
- https://uploads.strikinglycdn.com/files/f85af7d9-0a9c-47b6-966e-f265b7e9ea3d/rofepivod.pdf
- https://uploads.strikinglycdn.com/files/863de356-8b28-44d7-b887-4c83e6cc576d/ridgevue_high_school_nampa_id.pdf
- https://static1.squarespace.com/static/5fcdf6b48a6527414899ddfa/t/5fd081bfa91a8d24337c9324/1607500224659/talking_gf_apk_download.pdf
- https://uploads.strikinglycdn.com/files/eacdf037-2027-4586-86ea-d7e00dd5abb5/nugaxunepuzi.pdf
- https://static1.squarespace.com/static/5fbffc42bda9c57a97b92422/t/5fc32fb03485235c862edbfa/1606627250106/james_madison_middle_school_appleton_wi.pdf
- https://uploads.strikinglycdn.com/files/31543e98-5ea8-44f9-a0d8-da49b1d389ab/the_fall_of_america.pdf
- https://static1.squarespace.com/static/5fc18950b8467722f1d8bdf7/t/5fcebf7a01eaf4591e14a4b8/1607384954842/homemade_vanilla_cake_recipes_from_scratch_easy.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ce15.bin` `82365b365b5e4fc9436f7ebea6ca1ca18271b172d8218dbbd396a44014a6682a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCE15	5776 bytes
`font_01_sfnt_off0000e1c0.bin` `79f1ee2fc62f5380f0af2c06ee01e20def26d4619e313a5702ddc2fbddd94527`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE1C0	10896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.