PDF malware analysis — malicious · 8baa960bd9c7ce27

MALICIOUS

PDF

80.1 KB Created: 2020-12-27 17:25:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 43d732bf57f3fd0ed2471e553498692c SHA-1: d6fa3a03b66bec9cb7b7ccb051bdb4025d8dbadd SHA-256: 8baa960bd9c7ce27b16ff33f6340ee0afbd849d6f6d8dd7b03e32c5b6743598c

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL and document body suggest a phishing or scam attempt, likely aiming to redirect the user to a malicious site. No scripts were extracted, but the PDF structure itself contains malicious indicators.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafftec.ru/strik?utm_term=dog+fighting+statistics+and+facts
- https://cdn.sqhk.co/fekawifen/fgdghge/swamp_thing_1982_imdb.pdf
- https://cdn-cms.f-static.net/uploads/4368488/normal_5f9128385f5a7.pdf
- https://kirugivedipabaw.weebly.com/uploads/1/3/4/4/134464293/4b6212ad.pdf
- https://cdn.sqhk.co/silinetufid/SWjiji1/new_santali_sad_ringtone_2019_download.pdf
- https://cdn.sqhk.co/bixatavafut/agfgigd/mini_stroke_causes_in_young_adults.pdf
- https://cdn.sqhk.co/bopesajan/cjgHAge/51684073803.pdf
- https://koxabiwepa.weebly.com/uploads/1/3/4/3/134309970/delizun_rizetop_vexifu_giputazegame.pdf
- https://cdn.sqhk.co/kinirebuseva/Iif3ic8/69863000567.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://uploads.strikinglycdn.com/files/a5fbbe18-d05f-4519-99b8-89f9eb06067c/suweliminokisilej.pdf
- https://s3.amazonaws.com/bawalidamovidud/53967704060.pdf
- https://uploads.strikinglycdn.com/files/60131c89-ec7e-456f-b404-6e7470af7a0f/bupivofajusinejatered.pdf
- https://s3.amazonaws.com/wajufifenoxuj/free_word_recipe_template.pdf
- https://s3.amazonaws.com/setaxilitozuko/vivowezefawu.pdf
- https://s3.amazonaws.com/wixamupelinere/32125562701.pdf
- https://s3.amazonaws.com/fokapikow/unconventional_crossword_clue_3_and_5_letters.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f17f.bin` `c08ed296b02ba57cdc71833888ad4990e6809392b3d47be0a3bb06c0c23f8054`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF17F	4824 bytes
`font_01_sfnt_off000101db.bin` `9214cb21d666e1bdd9bd67bf39c231d56d085075e932bc8028a10e9d4bd72abf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x101DB	10316 bytes
`font_02_sfnt_off00012516.bin` `ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12516	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.