PDF malware analysis — malicious · b40c92f5456ef747

MALICIOUS

PDF

73.6 KB Created: 2021-02-23 05:02:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6509cf84f71db3186403f63f078db80f SHA-1: 72ba4959f3f59bd9d97fd72d9fae0684921553b3 SHA-256: b40c92f5456ef74707fa7c8f1ef3f2862849277a2aea6fa105f78e1621d9bc71

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL, identified as a high-risk indicator. The ML classifier and ClamAV detection strongly suggest malicious intent. The document body, though partially corrupted, appears to be a lure related to drawing tutorials, which is a common tactic for phishing or malware delivery. The embedded URL likely leads to a malicious site or a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://druttle.ru/aws?utm_term=how+to+draw+cool+things+simple
- http://fb-pageunderreview.com/934605054782kggc.pdf
- https://cdn.sqhk.co/vuwonesi/fs0ihgj/17265249769.pdf
- https://static.s123-cdn-static.com/uploads/4459162/normal_60068b9e5c8c6.pdf
- http://lnstagramlivesupportcenter.com/besikvub10.pdf
- http://ins.expert/hp_laserjet_pro_400_color_m451dn_install_problemsz104j.pdf
- http://converstarget.ru/dragon_quest_viii_character_namepjkni.pdf
- https://static.s123-cdn-static.com/uploads/4483856/normal_60014716b03f5.pdf
- http://olymptrade.buzz/minemowisesegasarepewitdzox7.pdf
- https://static.s123-cdn-static.com/uploads/4413369/normal_5fe278f4969b4.pdf
- http://getchambre.xyz/behen_hogi_teri_movie_480p1by0q.pdf
- https://cdn-cms.f-static.net/uploads/4487381/normal_5fd344efa3f28.pdf
- https://cdn-cms.f-static.net/uploads/4480897/normal_5fda4a7e8278a.pdf
- https://cdn-cms.f-static.net/uploads/4385020/normal_601cdaa102275.pdf
- https://static.s123-cdn-static.com/uploads/4376610/normal_6007e061eadde.pdf
- https://static.s123-cdn-static.com/uploads/4444369/normal_5fceaa9fcddc7.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/gixawetopoli/net_set_go_book.pdf
- https://s3.amazonaws.com/dufekifaral/private_browser_pro_apk.pdf
- https://s3.amazonaws.com/jeworurowam/kotigipowitu.pdf
- https://s3.amazonaws.com/vixuwogetiv/fowivebazobidar.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e3b4.bin` `c3664ab5cede63c8ff5b084e4200cde7c69b5cd37a5d5dd5f1bbbb53afd3ac1c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE3B4	5540 bytes
`font_01_sfnt_off0000f66e.bin` `8307d18abc1a00297216198885fa9f809f11ef0d03c3c4b4adad64297f7b7958`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF66E	10184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.