PDF malware analysis — malicious · 9e4a9dc35e469847

MALICIOUS

PDF

82.2 KB Created: 2021-04-30 19:37:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24

MD5: 4c0d4733be53e148781bbc0e13346785 SHA-1: 73b652710a6cda0c35a4b59afa351cf7c1d9583c SHA-256: 9e4a9dc35e469847c38f06310a728b8141ed36247e6be7e8b556fed9fc16c4c7

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic indicating an external URI, which points to a suspicious URL. This URL is likely part of a phishing attempt to trick users into visiting a malicious site. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 0.9990

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://druttle.ru/strik?utm_term=herman+miller+aeron+chair+size+b+vs+c PDF link annotation
- https://static.s123-cdn-static.com/uploads/4375344/normal_5ffb7209e4f2b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4453342/normal_60292b3e9d95d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4485807/normal_60601f53e771a.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4454671/normal_5ffe673b675a5.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4451563/normal_5fce64561451b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4372383/normal_5fde0ac626d86.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4485434/normal_6014be45e7d59.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4411481/normal_6009f6e870ee8.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4464072/normal_5fd09bd8ca776.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366661/normal_604b2416a399d.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4472783/normal_5ff03f9e5e082.pdfIn PDF document text
- http://gesetaxoxu.sportsontheweb.net/what_are_the_covid_19_health_protocols.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4409113/normal_5fef7aa04295e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4425916/normal_5fd76e3204777.pdfIn PDF document text
- http://gukiduwonaxinef.getenjoyment.net/hp_elitebook_8540p_service_manual.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/98909952-63d4-46a4-ac6f-796430029cbd/madud.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5f3d032e-d877-4a47-bb13-47c2f18afce3/6625170049.pdfIn PDF document text
- https://43a2ba88-5de9-465b-b95f-6a4d82f2d06e.filesusr.com/ugd/dcbeda_99b10eef88df4787a2f6c377853c1109.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/0e4a5eed-c4e7-4abc-8433-c7bea82a444f/sewelojomigubutigirip.pdfIn PDF document text
- https://0c2a99dd-71fd-4a0d-b96f-672cfa785c21.filesusr.com/ugd/515c54_4e90ed58869e4438ab4962f92b7b8d60.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/a06fb45c-ab3b-4ebb-880a-01f40bc8309c/tetukinubasewikulozu.pdfIn PDF document text
- https://7f58a6d3-5723-489e-a2bd-17fd91e1ddd5.filesusr.com/ugd/655495_1321b9a4935a446bb07a28e49dbafac6.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/6a7f8ccf-37de-4ae6-a18e-f166b48d6fe1/how_to_sync_two_ue_mini_boom.pdfIn PDF document text
- https://6f2fb29c-15f2-4b08-b525-3eb91a7f0a41.filesusr.com/ugd/c3548c_2678119619224f788615e9d256b1a2e1.pdf?index=trueIn PDF document text
- https://010f2e21-25ca-4560-806d-08cbbb7c7db1.filesusr.com/ugd/74a852_ec39ecb60fb644f7878fe1b32f83b49c.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000fb8e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFB8E	5252 bytes
SHA-256: `2cdd76ff746782380eb6e0eff6e9dbcafd1d2c120b2e1d48a51550a54ecdf594`
`font_01_sfnt_off00010d38.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10D38	1800 bytes
SHA-256: `51ebeec29509b87aa858d500e37ac8853184703d07d1f913ce36d8e1dc7764c0`
`font_02_sfnt_off000115c6.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x115C6	10768 bytes
SHA-256: `4511f07862dc1845d3bff8d3536eb4222be5e89902ec937e3116bbdebaf92779`

Open this report in the interactive analyzer, or submit your own file for analysis.