PDF malware analysis — malicious · 867da9d92d27f2fd

MALICIOUS

PDF

162.4 KB Created: 2021-03-12 19:04:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0d3ec57cda4a0366e0d01560b4295d12 SHA-1: e2a765b76bed08a893f92f4c865b5dac6dd9730a SHA-256: 867da9d92d27f2fd45bcf0f28cf5d46954795e208a8b6502d74851cdad85a63a

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, with a specific ClamAV signature indicating a phishing trojan. It contains numerous embedded URLs pointing to external domains, suggesting an attempt to redirect the user to malicious sites. The presence of PDF_URI and EMBEDDED_URL heuristics further supports this attack pattern.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://resalured.ru/123?utm_term=colorlib+html+templates
- https://cdn.sqhk.co/mojafefegamo/5Sietjd/dokixamubejadigonibivi.pdf
- https://lujajumivovun.weebly.com/uploads/1/3/0/7/130776132/nigufumebefurosetus.pdf
- http://pavajevubuj.iblogger.org/blender_2._78_mac.pdf
- http://community-day.ru/golds_gym_trainer_420_manual1bmbo.pdf
- http://bloodcraft.online/gas_natural_vehicular_precio_instalacintdsao.pdf
- https://cdn.sqhk.co/kinanekoxo/ZGxxjgt/jinofivamegomodugem.pdf
- https://lusovajilabijix.weebly.com/uploads/1/3/5/3/135351537/zajudexexujiw.pdf
- https://kobalogowitat.weebly.com/uploads/1/3/0/7/130776452/45e29294.pdf
- https://cdn.sqhk.co/vujagefamig/ibhguJ6/60671850860.pdf
- https://ronumotesagazuw.weebly.com/uploads/1/3/4/3/134373959/ruzididuxog_dovux_fodejozozexaw.pdf
- https://cdn.sqhk.co/fejavegiwo/1hcPijU/58476854657.pdf
- https://zatiwakap.weebly.com/uploads/1/3/1/8/131871625/374831.pdf
- http://vulefuxudonad.22web.org/implosion_full_version_apk_1._2._11.pdf
- https://cdn.sqhk.co/keridola/vFgjzIr/kexexi.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/89e1d93f-07df-4012-b919-08bcf8682fe2/39079001313.pdf
- http://rojuzejuleg.rf.gd/nuzifegeweduv.pdf
- http://miwetiguv.epizy.com/59921515697.pdf
- https://uploads.strikinglycdn.com/files/d01f8c43-b9d4-4bed-a3f6-34f77486165a/legozi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00024685.bin` `e43e478f092c56bf1e191e66a2bcd3e9257b8047e7bfa67042cd8483272af8a1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x24685	5104 bytes
`font_01_sfnt_off000257a0.bin` `3f8045031c130fa18bf9e0d5c290f9351c4a4659e604f7f2fc278dc4134d5338`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x257A0	10976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.