PDF malware analysis — malicious · bceb654bd2603b9b

MALICIOUS

PDF

81.4 KB Created: 2020-12-16 04:51:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1342ce0ad960a45dacd9f5cfe3d1b34d SHA-1: 7dee34aeb3bbf15c9ab15c7094ada141e5b22e08 SHA-256: bceb654bd2603b9bfd791aa2564647052954006dbb2d715d11202782b6a26743

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains an embedded URL pointing to a suspicious domain, identified by both heuristics and a machine learning classifier as malicious. ClamAV also detected it as a phishing trojan. The presence of the URL suggests an attempt to redirect the user to a malicious site, likely for phishing or to download further malware.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafffi.ru/123?utm_term=pixelmon+ink+sac
- https://cdn-cms.f-static.net/uploads/4366365/normal_5f870f3bc053d.pdf
- https://static.s123-cdn-static.com/uploads/4490534/normal_5fcd65d6e097c.pdf
- https://cdn-cms.f-static.net/uploads/4411935/normal_5f946ac7a3bff.pdf
- https://cdn-cms.f-static.net/uploads/4460463/normal_5fd15a20720f4.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/78b3a584-4580-49ab-b739-5e255a852fae/cinderella_man_free.pdf
- https://static1.squarespace.com/static/5fc64546ab79f442f24e106a/t/5fcceaf574a40730fb999734/1607265013948/tie_dye_sweatshirt_patterns.pdf
- https://static1.squarespace.com/static/5fc2e6f62bbd74065813a7ba/t/5fc52a7008845d092430979c/1606756977267/40698204037.pdf
- https://static1.squarespace.com/static/5fc2c6032e34347c70505203/t/5fc556a46457125654edb1f0/1606768292790/as400_manual_ipl.pdf
- https://static1.squarespace.com/static/5fc2a463ff13940aa24ac9c7/t/5fd1cb73071bbc68802b0143/1607584630461/liverpool_sky_sports_news_transfers.pdf
- https://static1.squarespace.com/static/5fc2a834abaecd33182d7d6c/t/5fca49d82ae1264a039f4380/1607092696384/faze_orba_trickshot_course_code.pdf
- https://s3.amazonaws.com/bokelur/hp_595-p0084_bios.pdf
- https://static1.squarespace.com/static/5fcf90380d94397de5f981ff/t/5fd67c20ffab5d3c56fe5f52/1607892001951/lerovubipevom.pdf
- https://static1.squarespace.com/static/5fc54b0340f1034a5cc5e190/t/5fd6854513a48350e817b7f1/1607894341822/tiweserenu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000102e0.bin` `81a8e76009968cccc9d8346411c2aee1d1d3c1a54ff7acc0c0f1d4d2c43ee84d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x102E0	4980 bytes
`font_01_sfnt_off000113c9.bin` `759a0303db7ef8429632df4d635e30a777acaf155a0d2ddf6342e169d379944c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x113C9	11024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.