PDF malware analysis — malicious · 9b576edebb33799d

MALICIOUS

PDF

73.7 KB Created: 2021-03-22 05:46:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a1d82b3ea9c81d27dfbbbe75affee45b SHA-1: 26eaf863f4c5b23ab35e490a9b22ec1a0294b47c SHA-256: 9b576edebb33799dbccfb984afeffde559afdadab19a4c3584b3bc4943e7dbff

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier. It contains an embedded URL that leads to a phishing site, disguised as an instruction manual. The PDF structure itself does not contain executable scripts, but the presence of the malicious URL strongly suggests a phishing attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://jumiwimov.ru/wix?keyword=proctor+silex+rice+cooker+instruction+manual
- https://cdn-cms.f-static.net/uploads/4393034/normal_60324cbaabe2b.pdf
- https://budovatepita.weebly.com/uploads/1/3/1/3/131398204/3560438.pdf
- https://toripifisesu.weebly.com/uploads/1/3/4/3/134367164/7548638.pdf
- https://cdn.sqhk.co/bebetirifam/ihFlOjb/pearson_math_test_answers.pdf
- https://letosuve.weebly.com/uploads/1/3/0/7/130739520/2427905.pdf
- https://cdn.sqhk.co/sadirorig/cSghZgh/nujuguxunugileje.pdf
- http://reassurez-moi-fr.info/electrical_calculations_cheat_sheetrasu0.pdf
- https://vogaxuruxav.weebly.com/uploads/1/3/4/3/134352923/e182759f05.pdf
- https://muwujexowosis.weebly.com/uploads/1/3/1/4/131437891/d132bbb0232d.pdf
- http://bepebeku.22web.org/38105830372.pdf
- https://cdn-cms.f-static.net/uploads/4369773/normal_604f31e91581c.pdf
- http://womenita.fun/the_outsider_albert_camus_freesid0o.pdf
- https://cdn.sqhk.co/muwazubivotu/IjhzZhd/safari_park_tickets_costco.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://fegumipidibig.rf.gd/gawudagilanoke.pdf
- https://uploads.strikinglycdn.com/files/c0cad872-9fc3-4e58-9620-bda37c0dbd60/fipoko.pdf
- https://uploads.strikinglycdn.com/files/8597a40b-cf77-4d7c-af45-7d21c13b186b/dd_3.5_celestial_creature_template.pdf
- https://uploads.strikinglycdn.com/files/6cb5ce6d-efe4-420a-a72d-d5fa895e49db/zujekepivis.pdf
- http://jisuwexadik.rf.gd/mgh_cardiology_board_review.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e158.bin` `0e53d6e35b6213efac0bc753c215a1fbecae184615d28d6affa9c8d4fa257dc7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE158	5080 bytes
`font_01_sfnt_off0000f28b.bin` `d19ce5cdc0a0ed053a8d12274c68f0458c74b9f7c35b9187b7e08a8392f6ff38`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF28B	11804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.