PDF malware analysis — malicious · bc7e77ad4de3cab5

MALICIOUS

PDF

173.2 KB Created: 2021-04-02 18:40:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30

MD5: d0a6d5ef478691666d2912462cec5726 SHA-1: c310c90f6699d14864a6ef1f7c4d5ce72997bfe7 SHA-256: bc7e77ad4de3cab5e81e8dc9fdbf56349e3118c7481768003bc1e4ab768b3ae3

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that redirects to a malicious domain, likely for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, appears to be a lure related to a song title, aiming to trick users into clicking the malicious link.

Machine Learning

Nyx PDF Classifier malicious score 0.9850

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://pelibifir.ru/strik?utm_term=himno+nacional+mexicano+completo+letra+escrito PDF link annotation
- http://fogukupututi.22web.org/7824642428.pdfIn PDF document text
- http://xasunibi.iblogger.org/how_to_write_literature_review_template.pdfIn PDF document text
- http://gagefepinulivaf.iblogger.org/aspectos_jurdicos_da_abordagem_policial.pdfIn PDF document text
- http://rukofuvifoti.22web.org/medical_certificate_form_211_revised_1998.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://75e6061f-eb7a-4ce8-b546-077bf96366c3.filesusr.com/ugd/2dfd19_78774869dde14a819c9fbedfdbe59889.pdf?index=trueIn PDF document text
- https://a8a2d6b8-6248-42a0-90a4-e25e421c2e59.filesusr.com/ugd/f63f29_6e6a9ee6009d4cada09fdd1f03109248.pdf?index=trueIn PDF document text
- https://76ed6b59-b034-43ac-b949-e1c08f76e3cb.filesusr.com/ugd/ee6100_43480dbe01bf40829e3187c1c39248a4.pdf?index=trueIn PDF document text
- https://1fa67a36-2e8b-44cc-a955-751d80433762.filesusr.com/ugd/d85e51_e73f5d02b34745e79ba949fbce1c9d69.pdf?index=trueIn PDF document text
- http://puredaw.rf.gd/rowerukeperafadugerutu.pdfIn PDF document text
- https://30f21d72-2b41-4965-a7bc-2abb02bf1ded.filesusr.com/ugd/47e66e_e99cf6b7c79f482390fe020aa51ab6cd.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/lofese/58070328630.pdfIn PDF document text
- https://bcbc83ff-a82b-4234-bf1d-c69e8cae54d5.filesusr.com/ugd/057c82_b71cb4fa29eb4baeacc5ae3e0e0b08c9.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/tobaziw/frankenstein_chronicles_season_2_episode_guide.pdfIn PDF document text
- https://9df6fdd8-df71-43fb-87ad-b121b2de7416.filesusr.com/ugd/e0d0cf_c76c0f4cac4f48ceb2ced924657e3eed.pdf?index=trueIn PDF document text
- http://laganomezavarof.epizy.com/resignation_letter_with_notice_period_template.pdfIn PDF document text
- http://xivutunitilema.epizy.com/definite_articles_in_english_exercises.pdfIn PDF document text
- https://s3.amazonaws.com/nefomojuwet/best_free_indesign_brochure_templates.pdfIn PDF document text
- https://s3.amazonaws.com/patilawasu/sportcraft_tx400_treadmill_weight_limit.pdfIn PDF document text
- https://s3.amazonaws.com/taguxif/exception_in_thread_java._lang._numberformatexception.pdfIn PDF document text
- https://s3.amazonaws.com/jafujasiwetid/77721528426.pdfIn PDF document text
- https://s3.amazonaws.com/xomudufe/ruvifeter.pdfIn PDF document text
- http://gizolon.epizy.com/inverse_of_2x2_matrix.pdfIn PDF document text
- https://s3.amazonaws.com/besafefaf/aircraft_maintenance_engineer_apprentice_jobs_canada.pdfIn PDF document text
- https://be56f97b-0727-4a8e-a141-4155b83e75ac.filesusr.com/ugd/5034d0_d1dee162d8624f528da9230dd9ad5f03.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/votuweroxigezog/accenture_digital_health.pdfIn PDF document text
- http://zanobunu.epizy.com/base_form_simple_past_past_participle_list.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000258cc.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x258CC	3848 bytes
SHA-256: `e61ecf91eb90e26250627757f3c1190234170e43a97a1f5df171579d6787e8ca`
`font_01_sfnt_off0002652a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2652A	5108 bytes
SHA-256: `88191fc78200e5ec807560422f9c0710b79503a81fe9b022058ce880f2e3f91e`
`font_02_sfnt_off00027671.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x27671	14316 bytes
SHA-256: `2b955b2c7e9c26d70ae2deac39a39bcddd41f8cc4a1b6f65f683bdc15bf7092d`

Open this report in the interactive analyzer, or submit your own file for analysis.