PDF malware analysis — malicious · ac198ff1ef2597ba

MALICIOUS

PDF

73.3 KB Created: 2021-03-04 04:50:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c0fbb6ce0adc490cdd6e6c315c932b62 SHA-1: 49a3f53f88e6cfbec98fb8ee4098d999617f1126 SHA-256: ac198ff1ef2597ba91044cce3bfe3c105ed2a4156e95b3eb1cf415caea65d168

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that directs users to a suspicious domain, likely for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded URL is the primary indicator of compromise, suggesting a spearphishing attachment attack vector.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://kuzutuzo.ru/wix?keyword=night+mode+apk+pro
- https://cdn-cms.f-static.net/uploads/4489061/normal_60372e243dd4d.pdf
- https://cdn-cms.f-static.net/uploads/4485927/normal_5fd91336bb7dc.pdf
- https://cdn.sqhk.co/pasezateda/fVhcbgg/hakuouki_hekketsuroku_online.pdf
- https://static.s123-cdn-static.com/uploads/4452618/normal_5ffcd0c4dcd68.pdf
- https://static.s123-cdn-static.com/uploads/4390664/normal_5fdde1448ad79.pdf
- https://static.s123-cdn-static.com/uploads/4456671/normal_6001007ce82b2.pdf
- https://cdn.sqhk.co/buzaxelubot/ichecia/panda_express_store_near_me_now.pdf
- https://static.s123-cdn-static.com/uploads/4482012/normal_5ffcad2cea440.pdf
- https://static.s123-cdn-static.com/uploads/4382961/normal_60086fa8cabbd.pdf
- https://cdn.sqhk.co/pasudajuwesa/gxMXEPM/90s_music_trivia_game.pdf
- http://dimax.website/supuzopagogezobhhda8.pdf
- https://cdn-cms.f-static.net/uploads/4494429/normal_6023dafd15502.pdf
- https://cdn.sqhk.co/jopubelo/gcxMcij/the_trip_to_italy.pdf
- https://cdn.sqhk.co/livatunozasu/igj42jd/lesson_plan_ideas_for_school_age.pdf
- https://cdn-cms.f-static.net/uploads/4476930/normal_6015b24d3634d.pdf
- https://cdn-cms.f-static.net/uploads/4427509/normal_6016f001d9b11.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/sixolose/aplikasi_whatsapp_anti_hapus.pdf
- https://s3.amazonaws.com/minaxigevani/ginorabovoniji.pdf
- https://s3.amazonaws.com/fogibi/jidosowazimo.pdf
- https://s3.amazonaws.com/towutoginadivu/magento2_invoice_template.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e1d7.bin` `f82bb56a87f6606441fec878ad139f73baf71a241572611d63a58527b22235a1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE1D7	5196 bytes
`font_01_sfnt_off0000f35c.bin` `d26182d9ec0216e9a4159d93f33ad808bbb4c765c9160d0c7f2b14206e0209f4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF35C	10736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.