PDF malware analysis — malicious · c4f1aa050dbd83ef

MALICIOUS

PDF

75.1 KB Created: 2021-02-25 17:26:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d2d9effecc0fa90337ea2735b853f39a SHA-1: 5b0a55ac85957e7d2531db237679e6a733fc137a SHA-256: c4f1aa050dbd83efdfeaa95998a2ce8aa2f71c19b0a6df10410ba074a00bba85

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as malicious by ClamAV and an ML classifier, with heuristics indicating the presence of an external URI and a visual download button. The embedded URL, 'https://baarspo.ru/wix?keyword=auto+upkeep+3rd+edition+pdf', likely serves as a lure to download a secondary payload. The document body, though heavily obfuscated, contains text related to 'Auto upkeep 3rd edition pdf', suggesting a pretext for the malicious download.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://baarspo.ru/wix?keyword=auto+upkeep+3rd+edition+pdf
- https://static.s123-cdn-static.com/uploads/4452624/normal_5ff296115f2b9.pdf
- https://cdn.sqhk.co/dukosisevu/Jzicic4/62154312252.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://saveluvuwu.rf.gd/ultimate_general_civil_war_strategy_guide.pdf
- https://s3.amazonaws.com/gimisorixosu/35140811676.pdf
- https://s3.amazonaws.com/vudivuzakal/91963655305.pdf
- https://s3.amazonaws.com/titugome/dell_latitude_e5570_spec_sheet.pdf
- https://s3.amazonaws.com/zuxime/apa_format_citations_generator.pdf
- https://s3.amazonaws.com/gupojakami/government_iti_college_admission_form_2018.pdf
- https://s3.amazonaws.com/gafedupeba/pesedefugoxiramasula.pdf
- http://mufizepumu.rf.gd/jofativubufareziwidomug.pdf
- https://s3.amazonaws.com/tifuwuw/bought_synonym_formal.pdf
- https://s3.amazonaws.com/zafaronivaj/pumaxotogu.pdf
- http://marelifi.rf.gd/kimapumogamowanake.pdf
- https://s3.amazonaws.com/jexijer/spiderwick_chronicles_field_guide.pdf
- https://s3.amazonaws.com/zemigiduwagafu/dogolul.pdf
- https://s3.amazonaws.com/jejulurowev/bareilly_ki_barfi_full_movie_mp4.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e8a9.bin` `78e7aa5d2eaf961e81484e0e895db32a6bf1f7c4552c41ce43a8a820b67a34ad`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE8A9	4832 bytes
`font_01_sfnt_off0000f935.bin` `0eb03a6be17375516146bbf5a79905156448dcfaed27b0654c616b4f7b3787cd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF935	10716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.