PDF malware analysis — malicious · 7d2b39694ac26ab7

MALICIOUS

PDF

74.8 KB Created: 2020-12-04 07:24:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b381b23132f75b77c8e6e17abba34b8e SHA-1: eb86b17e1bc274e8c8a50d4847084fb115536760 SHA-256: 7d2b39694ac26ab763ce70c36144b83f539824ecb5f85519cfd1900ad9880ca9

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafficel.ru/aws?utm_term=aradois+50+bula+pdf
- https://cdn-cms.f-static.net/uploads/4365600/normal_5f87540630a2f.pdf
- https://cdn-cms.f-static.net/uploads/4390097/normal_5f8f6b225d319.pdf
- https://cdn-cms.f-static.net/uploads/4371809/normal_5fbe083c50e55.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fc5b3eee5c7695ca9bc5168/t/5fc8747b970db930d9c1a528/1606972540398/55295190321.pdf
- https://uploads.strikinglycdn.com/files/1b49fe6f-2b0e-44fc-8604-c229a8fe1d2a/neo_geo_x_emulator_download.pdf
- https://uploads.strikinglycdn.com/files/d2fc0bfb-9f97-4f7a-9692-75ad1f815b92/75823728768.pdf
- https://static1.squarespace.com/static/5fbfdd38a3bf4b14aba341ea/t/5fc0ee944e98326c02322fa6/1606479509409/64503040793.pdf
- https://uploads.strikinglycdn.com/files/eec1a767-456e-4024-a8b8-6b0a76b6e09c/74907241474.pdf
- https://static1.squarespace.com/static/5fc0b633d26ff1194f72bba3/t/5fc972c5dffee55515134db9/1607037638083/16463957989.pdf
- https://uploads.strikinglycdn.com/files/23e8b3e9-ef59-4de9-9157-ab52c5f25ecd/nba_jam_2016_apk_ios.pdf
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbcf3e09d104e5f152d010a/1606218720967/what_is_asset_based_pricing.pdf
- https://static1.squarespace.com/static/5fc0c67840f1034a5ca82603/t/5fc1bb12173fb5383be34636/1606531859086/nujaxagub.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e7f1.bin` `35276e4a03b6bbab59f4fba1860000c994e77c790d1505c0a68e089c9596cff7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE7F1	5432 bytes
`font_01_sfnt_off0000fa71.bin` `fa84caff1c1175414e38058ae06e29cab56bc416b1825b021bf31b80379ba281`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFA71	10652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.