PDF malware analysis — malicious · 9060fdd9d001dbfa

MALICIOUS

PDF

77.0 KB Created: 2021-03-30 02:22:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 01e9a45c10641d863bbf5d76ecc1da18 SHA-1: 73a05016b304c4bb90d73c642e058179b3f05c27 SHA-256: 9060fdd9d001dbfae092824d8a342ecd391aaede2f51a6b49064f63f741327a1

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by ML classifiers and ClamAV as malicious. It contains an embedded URI pointing to 'golowaki.ru', which is likely a phishing or malware distribution site. The document body, though heavily obfuscated, contains text related to economics, suggesting a lure to disguise the malicious intent. No scripts were extracted, but the presence of external URIs and the overall malicious verdict strongly indicate a phishing or malware delivery attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://golowaki.ru/award?keyword=break+even+point+in+economics+pdf
- https://cdn-cms.f-static.net/uploads/4426688/normal_60332432e978d.pdf
- https://cdn-cms.f-static.net/uploads/4374520/normal_6046d43b943c4.pdf
- http://dimivetow.iblogger.org/zefufi.pdf
- http://perevod24-card2card.site/4311995767ld4ue.pdf
- http://sentytld.online/salusebefadakiganulal7vuf7.pdf
- http://wenijivi.iblogger.org/67974911354.pdf
- https://cdn-cms.f-static.net/uploads/4366339/normal_6062146f43300.pdf
- https://cdn-cms.f-static.net/uploads/4490273/normal_605d68e8a93e7.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://begosene.epizy.com/guided_reading_activity_year_2.pdf
- https://9cfe8934-cc69-4f76-a0d0-2e9849ea4530.filesusr.com/ugd/fd9558_98ddf6cf24cd4a5e8182c814cfe1ce61.pdf?index=true
- https://s3.amazonaws.com/dinisemowoge/jajeguletaxef.pdf
- http://tumuxisirawev.rf.gd/contoh_report_text_kelinci_beserta_generic_structure.pdf
- https://a49aa754-465e-4bbd-924e-b3d0e7b66bd4.filesusr.com/ugd/81d6a4_542da94d95a24ef38e9d4219bac28ecb.pdf?index=true
- http://nusumonujarufed.rf.gd/a_history_of_western_music.pdf
- http://vosojeki.epizy.com/4940153961.pdf
- http://dereduvate.epizy.com/jofilapoxosamoluzovu.pdf
- https://s3.amazonaws.com/mupukesunobaga/best_android_tv_app_store.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ec05.bin` `52ef6c8e605b2919ab0656df28f6d50aee70de0085923575e05b7aa40ac8db93`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEC05	5444 bytes
`font_01_sfnt_off0000fe7c.bin` `399029243398c54ac0b355c6b21baa54f05617c38a95d94e8d017e5d86337973`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFE7C	11752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.