PDF malware analysis — malicious · c81d5e842e922c3d

MALICIOUS

PDF

76.7 KB Created: 2021-03-21 05:53:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: eb249e537e997618082dafac9a70b668 SHA-1: f19e2febea34bb08ae8b705fb83da6604c17091f SHA-256: c81d5e842e922c3dddfa88217606c1c4b216905d5123cf551200939cea968aa9

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. The document contains an embedded URI pointing to a suspicious URL, which is likely part of a phishing or malware distribution scheme. The presence of this external link suggests the document is designed to redirect users to a site that may host further malicious content or attempt to trick them into downloading additional malware.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://resalured.ru/award?keyword=worshipping+false+gods+pdf+free+download
- https://guvikaki.weebly.com/uploads/1/3/4/5/134519546/b96c6f5.pdf
- https://cdn-cms.f-static.net/uploads/4490736/normal_604513ba4240c.pdf
- http://sufewonu.iblogger.org/algebra_2_trig_textbook_mcdougal_littell.pdf
- https://faneboluti.weebly.com/uploads/1/3/4/4/134464249/zakazedekosokod.pdf
- https://cdn-cms.f-static.net/uploads/4387807/normal_600f098ed5313.pdf
- http://zinuginevero.22web.org/java_jdk_11_documentation.pdf
- https://cdn-cms.f-static.net/uploads/4412408/normal_5fdc59d4386dc.pdf
- https://fogojokiverowur.weebly.com/uploads/1/3/0/9/130969702/lejovifajomino_dagirumon_wubasabulukij.pdf
- https://jowetetezuvam.weebly.com/uploads/1/3/4/7/134717416/vagixowepoli.pdf
- http://vudatibapikapak.22web.org/pejikizagakurax.pdf
- http://konifipajig.iblogger.org/black_ops_zombies_apk_aptoide.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://divupovive.epizy.com/11399918729.pdf
- http://podekewijove.epizy.com/nogitulirirewuwe.pdf
- http://sajidot.epizy.com/dimivuxexusotisotilef.pdf
- https://s3.amazonaws.com/metubevozisul/wizepibavij.pdf
- http://denefarow.rf.gd/60478403095.pdf
- http://genividi.epizy.com/27685050316.pdf
- http://rebubokinore.epizy.com/xiverusalon.pdf
- https://s3.amazonaws.com/makumapikeze/laminating_sheets_target.pdf
- http://pavinudoj.epizy.com/29071952415.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000edcd.bin` `8569a7ce0796289e52b4ce00f316cbce4821f12fb4afda1fc290494e88d11047`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEDCD	5408 bytes
`font_01_sfnt_off00010048.bin` `df3b520051396e6a9df2fd1f8511167e3ddc7bb8d145fccc84e5bba7f81688c9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10048	10976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.