PDF malware analysis — malicious · 92886219245fe7e8

MALICIOUS

PDF

71.2 KB Created: 2021-03-24 17:09:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 813e8a3b9475046281bb9d64605e33d7 SHA-1: e7fbfb9666d02fc5b924618fdc8dc252cb6d298f SHA-256: 92886219245fe7e8af04b7730121e5375673d7b7c50753fa8725a2678c2cee5c

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URI pointing to a suspicious domain, which is likely intended to redirect the user to a phishing or malware distribution site. The document body is heavily obfuscated, but the presence of external URIs suggests an attempt to lure the user to a malicious external resource.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://druttle.ru/wix?keyword=optical+electronics+yariv+pdf
- https://cdn.sqhk.co/vogigoda/cJij1dy/nanibeviwimera.pdf
- https://static.s123-cdn-static.com/uploads/4449627/normal_5fcb5a9d59cb9.pdf
- https://cdn-cms.f-static.net/uploads/4415937/normal_6020fa6936570.pdf
- https://cdn.sqhk.co/baxajufim/eIhbROt/vopedogutovidiwuvemu.pdf
- https://xubejuvanexog.weebly.com/uploads/1/3/5/3/135311054/wazefeva.pdf
- https://static.s123-cdn-static.com/uploads/4381105/normal_6000d5419c34a.pdf
- https://lepamume.weebly.com/uploads/1/3/4/8/134882258/cee9c8ae4c.pdf
- https://static.s123-cdn-static.com/uploads/4452839/normal_5ff81c708daa8.pdf
- https://cdn-cms.f-static.net/uploads/4408343/normal_5fd2c9d3e83ca.pdf
- https://cdn.sqhk.co/keropolor/zii6geB/bubina.pdf
- https://momobamuv.weebly.com/uploads/1/3/2/3/132302987/kirowe.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://27158da8-170d-48ca-a528-b8ced62fe517.filesusr.com/ugd/9fc8c3_f138bc18c9824cb3a75dd354be95db86.pdf?index=true
- https://s3.amazonaws.com/zuvovoxigumuz/how_to_use_engineering_lettering_guidelines.pdf
- https://99ca13e2-8bf0-45b2-93fa-bbfb519f101f.filesusr.com/ugd/5392be_f417f36d7f634444b64dafb0531a37e6.pdf?index=true
- https://s3.amazonaws.com/vazisi/dnr_fishing_report_sc.pdf
- https://s3.amazonaws.com/vufuzewasi/well_synonym_formal.pdf
- https://s3.amazonaws.com/safenalavojuwu/assoluto_racing_cheat_apk.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d929.bin` `6707f322726c645b6142dc0613f24f78e9c4d17c281d751423972741ef5ff8c9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD929	5340 bytes
`font_01_sfnt_off0000eb69.bin` `ba7f57d584196ef5da766660097f0dc000b24f7e4a3dd3611a5e0a1da20640e5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEB69	10776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.