PDF malware analysis — malicious · 8d697e794a3dce98

MALICIOUS

PDF

76.3 KB Created: 2021-05-05 17:07:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: cc534ca04d2081157ce70c20f000a889 SHA-1: 9889cf1cdbebaf052894b6a8dd99daf9016955a8 SHA-256: 8d697e794a3dce987131e4f2d231d199b7d30d5c6878a3db54815a75ce7b5aad

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that masquerades as a guide for cleaning a furnace filter. This URL, 'https://xezojetit.ru/strik?utm_term=how+to+clean+a+furnace+filter+properly', is highly suspicious and likely leads to a phishing or malware distribution site. The ClamAV detection and ML classifier strongly indicate malicious intent, aligning with a spearphishing attachment tactic.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xezojetit.ru/strik?utm_term=how+to+clean+a+furnace+filter+properly
- https://static.s123-cdn-static.com/uploads/4409627/normal_5ffca427d7bdd.pdf
- https://cdn-cms.f-static.net/uploads/4377112/normal_60419fe23dec3.pdf
- http://kzrovk.xyz/best_bread_maker_in_malaysia8vs0w.pdf
- https://cdn-cms.f-static.net/uploads/4376088/normal_6015c4fc23342.pdf
- https://cdn-cms.f-static.net/uploads/4385852/normal_605b89ecc687e.pdf
- https://cdn.sqhk.co/gixelotopa/iamrAji/pop_shooter_blast_mod_apk_unlimited_money.pdf
- http://youla-24.cc/nacto_urban_bike_design_guiders58b.pdf
- https://cdn-cms.f-static.net/uploads/4366358/normal_606648de66389.pdf
- https://cdn-cms.f-static.net/uploads/4468820/normal_5fea40ca1d6cb.pdf
- http://english-10.site/bokaxedaxajuzomuifrm4.pdf
- https://cdn-cms.f-static.net/uploads/4454678/normal_602a545837333.pdf
- https://cdn.sqhk.co/rorefevobo/exBvajd/bricks_breaker_balls_shooter_mod_apk_download.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/jobavo/15442057735.pdf
- https://uploads.strikinglycdn.com/files/8b22aca3-a003-4b01-a403-5969865c19f2/2006_chevy_malibu_3.5_power_steering_pump.pdf
- https://uploads.strikinglycdn.com/files/a303f681-3f03-456a-9b22-5fe9e9a28a39/fizimemiva.pdf
- https://s3.amazonaws.com/viwoxuz/jibexax.pdf
- https://uploads.strikinglycdn.com/files/1c43d0df-f9b1-4e46-a20d-7035442681f2/waffle_house_job_positions.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000efaf.bin` `0006d8a699d7199a13827183a676e02efbee6d20578997ec02cc5c897af0fe05`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEFAF	4988 bytes
`font_01_sfnt_off000100d4.bin` `3ea8ee872cdb3b391ca5386034d7f092b8dff2b0abe08f31710222a20967820f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x100D4	10408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.