PDF malware analysis — malicious · ceaaabc454b7f604

MALICIOUS

PDF

77.9 KB Created: 2021-05-18 06:12:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 82b590c3587d89726be0de50f91d6bd4 SHA-1: 996e813224aaec4c902c1bedcbade10afdff023e SHA-256: ceaaabc454b7f604a37dcf6937483cbcf78444d376e5e2b2422f8fbb80efddaf

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a suspicious domain, likely for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were extracted, the presence of a malicious URL within the document body, combined with the file's classification as a phishing trojan, suggests an attempt to trick the user into visiting a harmful site.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nipisod.ru/strik?utm_term=how+to+get+greek+letters+in+your+fortnite+name
- https://cdn-cms.f-static.net/uploads/4466166/normal_604366146ba7b.pdf
- https://cdn-cms.f-static.net/uploads/4456984/normal_5fe8c700732f1.pdf
- https://cdn-cms.f-static.net/uploads/4469106/normal_601ddf9f91201.pdf
- https://cdn-cms.f-static.net/uploads/4460076/normal_6063f9f624e36.pdf
- https://static.s123-cdn-static.com/uploads/4446633/normal_5fc7464157077.pdf
- https://cdn-cms.f-static.net/uploads/4388178/normal_60639f266ebc0.pdf
- https://static.s123-cdn-static.com/uploads/4410988/normal_600535b585383.pdf
- https://cdn-cms.f-static.net/uploads/4424007/normal_6068ef96522b2.pdf
- https://cdn-cms.f-static.net/uploads/4410954/normal_6066efc1c8b0b.pdf
- https://cdn-cms.f-static.net/uploads/4494875/normal_5fe66d3a2b853.pdf
- https://cdn-cms.f-static.net/uploads/4468571/normal_6052cc0cb5942.pdf
- https://cdn-cms.f-static.net/uploads/4418987/normal_6031b758dbdf7.pdf
- https://cdn-cms.f-static.net/uploads/4445129/normal_6032a2ba99db7.pdf
- https://cdn-cms.f-static.net/uploads/4484359/normal_6046b6d8b5bb3.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/1d598845-1244-4dbf-91ea-bae612a1e154/diguziv.pdf
- https://uploads.strikinglycdn.com/files/a52a2b97-2181-4b2e-9fb6-748a782fbd8b/silver_eyes_fnaf.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f14a.bin` `556131c416c3bec5906f4c51fadb2e63cafe691ab68c2c41de74c5f10fc5143a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF14A	5308 bytes
`font_01_sfnt_off00010364.bin` `241770eefb2971b8ccd2d0e0184e91e5acc60d22f6806beaa304a3ca4163d046`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10364	11680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.