PDF malware analysis — malicious · a7758d557c6a3359

MALICIOUS

PDF

79.7 KB Created: 2021-03-14 14:49:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7897833b34dc1aafc741dad2af3f25d3 SHA-1: 29c29c5f6e59f5fc5c9d4bb6a17ff5c7e92c839c SHA-256: a7758d557c6a335957ac7b4e6766087afab966e4fd007ee9b362ea2a40ecb8af

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URI pointing to a suspicious domain, likely intended to trick the user into visiting a phishing or malware distribution site. The document body, though heavily obfuscated, suggests a lure related to 'drill bits'. No scripts were extracted, but the PDF structure itself facilitated the embedding of the malicious URI.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ponafet.ru/strik?utm_term=best+drill+bit+for+concrete+post
- https://cdn-cms.f-static.net/uploads/4420764/normal_60236045991cc.pdf
- http://gakmancreatures.ru/amazon_how_to_draw_really_cute_stuffq2i1y.pdf
- http://bio-ita.fun/nukajudiboputovejoxesime63wkm.pdf
- https://cdn-cms.f-static.net/uploads/4402949/normal_604a39db2d580.pdf
- https://cdn-cms.f-static.net/uploads/4483354/normal_604dd17e45cea.pdf
- http://midadef.iblogger.org/roll_over_to_zoom_troy-bilt_gasoline_edger_25a-516-766.pdf
- http://hellochildren.online/70212552253v61ww.pdf
- https://cdn.sqhk.co/posojuvapono/vmUoDig/beach_buggy_blitz_2_apk.pdf
- https://cdn.sqhk.co/dogatefi/jhcghib/gomixujigurofowuxedanoj.pdf
- https://static.s123-cdn-static.com/uploads/4477913/normal_60044c7b0f7d7.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/kovezux/jifenizomubibututunege.pdf
- http://xerevim.epizy.com/joie_allura_travel_cot_sheet.pdf
- https://s3.amazonaws.com/nawosineromigi/teruxogidixodurajafa.pdf
- http://wazuvit.rf.gd/61030094478.pdf
- http://bikinegisuzuse.rf.gd/39293801513.pdf
- https://s3.amazonaws.com/nijudow/nazazewutaberevuridir.pdf
- https://s3.amazonaws.com/napejaxosinages/ximimegotuketufivotuner.pdf
- https://s3.amazonaws.com/vazisi/newikonexitezufijelizume.pdf
- https://s3.amazonaws.com/firigugixujotov/scheer_platform_pipeline.pdf
- https://s3.amazonaws.com/wujanozo/37109722003.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f9f8.bin` `4e41a10000f0db3b936aebe0058d5a89b3186c493333c587a9d094907cab327b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF9F8	5128 bytes
`font_01_sfnt_off00010b79.bin` `c0becb3dc0086a96d1d5c703c4fb33ce2f09badc415b452956b337c9368ba497`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10B79	11268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.