PDF malware analysis — malicious · d491b3f0d6dfdbd2

MALICIOUS

PDF

78.5 KB Created: 2021-07-16 11:23:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 4bd2db3e24aa0689eb08744b93b58aed SHA-1: 0a40a7f9578a5dbe22c0ab8861ada7281b078094 SHA-256: d491b3f0d6dfdbd27fd0abb98a5c7943385d39a5be57e45402ac18112a4ce21d

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL points to a suspicious domain, suggesting a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and heuristic firings strongly suggest it's designed to redirect users to a malicious site.

Machine Learning

Nyx PDF Classifier malicious score 0.9906

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cructi.ru/square?utm_term=lots+for+sale+in+portmore+pines
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ec83f58bb04542cee49669/1626113013290/easy_mince_pies.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f12a2a5554232196bca734/1626417706418/lecture_notes_on_strategic_management.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e92f8b37cb9044756076e7/1625894795965/bowame.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f10ac92606b657d355cbf4/1626409673385/how_to_become_pro_in_pubg_mobile.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ec91a051a87c5d75acff84/1626116512918/xeroron.pdf
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ee8e7b9c71001bedfa1d63/1626246779964/48397687022.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ecaa841951226b8b8ec3f3/1626122884487/defidojasutuzi.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ed9cfad2a6f635453cda1e/1626184954672/what_is_depth_of_field.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e8c4348f67167615ac4fc1/1625867316864/jinexalosup.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d135.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD135	16792 bytes
`font_01_sfnt_off0000e947.bin` `39afd9ffe5a907ef6abf40fd32c22a507a62fbcc434df3b5390ba977b80d0a99`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE947	17216 bytes
`font_02_sfnt_off0001163b.bin` `569d9a5517a514a44346ee6524c0f994131de24d000e9f527f6ac9c53043c334`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1163B	10476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.