PDF malware analysis — malicious · ce00b15ac6cadd50

MALICIOUS

PDF

65.7 KB Created: 2021-03-20 05:19:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9051f823316ce1a0eeb7d08d78e748c8 SHA-1: b3e665cc4c37c931aebfb816b770de6cf0c03399 SHA-256: ce00b15ac6cadd5057fe12f42cda176f9cbe92d1e5d33776f51f9d37f276486c

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, which is a strong indicator of a phishing or malware distribution attempt. The ML classifier and ClamAV detection further confirm its malicious nature. The document's content, though heavily obfuscated, appears to be a lure related to 'free math worksheets', aligning with common social engineering tactics.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ponafet.ru/wix?keyword=carson+dellosa+free+math+worksheets
- http://spainwow.pro/vw_service_department_ipswichz0030.pdf
- https://cdn.sqhk.co/vedukosamo/dhjgejF/kodazebapineresuj.pdf
- https://cdn-cms.f-static.net/uploads/4476147/normal_60302c983ee28.pdf
- https://cdn-cms.f-static.net/uploads/4443325/normal_5fd28946b4559.pdf
- http://gadetebes.sportsontheweb.net/55259575485.pdf
- https://cdn.sqhk.co/wusakituzu/higgGfq/gorillas_don_t_eat_meat.pdf
- https://cdn-cms.f-static.net/uploads/4393755/normal_60170e302fed7.pdf
- http://voseboler.iblogger.org/apache_tomcat_server_latest.pdf
- http://icily.xyz/fishing_tour_guide_salary8detu.pdf
- http://nijepatexosanus.medianewsonline.com/curriculum_vitae_examples_for_teachers.pdf
- http://noxesim.iblogger.org/bovorebazuxifumuvedukak.pdf
- https://cdn.sqhk.co/pigajifaw/hevhbgi/my_talking_tom_cat_app_download.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://tirisesu.onlinewebshop.net/62077661335.pdf
- http://wagadepepixapu.epizy.com/astron_power_supply_schematic.pdf
- https://uploads.strikinglycdn.com/files/c8693d7b-8113-4d4a-addb-33916db894fc/16934813736.pdf
- https://uploads.strikinglycdn.com/files/9ab2de0e-55d7-40fd-a37b-5892441ff678/san_andreas_cheat_codes_ps2_superman.pdf
- http://kalumeli.rf.gd/regiwomudevure.pdf
- https://uploads.strikinglycdn.com/files/896cc1ac-2928-4ca7-9225-2cd06262e8b6/salijibupev.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c72e.bin` `64c169b9618fa8495873f91eab04bbc9488bf4153ce65228f289eb235bda2557`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC72E	5208 bytes
`font_01_sfnt_off0000d8c5.bin` `8955e1a1a582eeba93de93eea98d10e93cfac20babfd41442ea78bb8c33a6267`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD8C5	9596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.