PDF malware analysis — malicious · c3c132758fdca24a

MALICIOUS

PDF

78.4 KB Created: 2021-07-12 21:20:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: f7eb74e9aa99fd73f8773b1e67dc23a9 SHA-1: 89871344f4aca4e3fc11a162d36c0f6d56efef38 SHA-256: c3c132758fdca24a920df8b614e57ccc78ac82717492f9e3708f8de975da1f86

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and an ML classifier indicated a high probability of maliciousness. An external URI pointing to 'drafthe.ru' was extracted, which is a strong indicator of a phishing or malware distribution attempt. The presence of embedded fonts and the authoring application 'wkhtmltopdf' suggest the PDF was programmatically generated, potentially to obscure malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9478

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://drafthe.ru/square?utm_term=south+poplar+traditional+elementary
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e94ef3c22c005c933a1666/1625902835412/luwuzeduzuvatifek.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e8a9daee85211156d4a68f/1625860570429/why_did_song_airlines_fail.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e8ecb3dc37083541b641fb/1625877683495/87169769056.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e7ef24fdc75e32ab08644e/1625812772843/steam_validation_rejected.pdf
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ec7cfa0d838b6c850c2f65/1626111226877/the_basics_of_hacking_and_penetration_testing_book.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ec866f7a1add4dee1fc7b3/1626113647486/78150451399.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e78f8451cb2a526cf85f11/1625788292936/pins_and_needles_medical_term.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e76bc6e4919b7a951adff2/1625779142628/natomofubef.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d030.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD030	16792 bytes
`font_01_sfnt_off0000e842.bin` `dc30681573b11f810adf82ce0c1f34f5e28ac2b4721d8f17caf098028a03e5c9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE842	17032 bytes
`font_02_sfnt_off000114e0.bin` `eab999e4509b0b1076cc6ce90e9c7a51d5c0b14a5e2357c99e9ec4db9ece1dbc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x114E0	10776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.