PDF malware analysis — malicious · d728ce568c051546

MALICIOUS

PDF

75.8 KB Created: 2021-03-30 09:52:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c4d15d1325a81e837b99432383c188d0 SHA-1: dc38abb84e4c9e79986203ac2138774da848cd56 SHA-256: d728ce568c051546ff9cad3d9e8f0e313d569c24e2d42a3a80217290dd3b267d

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified by heuristics as an external URI and flagged by ML classifiers and ClamAV as malicious. The document body, though heavily obfuscated, suggests a lure related to a 'medical reference app'. The presence of an external URI strongly indicates an attempt to redirect the user to a malicious site for phishing or further payload delivery.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://lozipotod.ru/wix?keyword=maxwell+quick+medical+reference+app
- http://fazejajogavu.medianewsonline.com/laboratory_technician_job_description.pdf
- http://wamuwosola.mygamesonline.org/m2n68-la_rev_3.02_specs.pdf
- http://pawosevisipe.iblogger.org/architecture_resume_cover_letter_template.pdf
- http://pobunav.sportsontheweb.net/99438693420.pdf
- http://tometifo.getenjoyment.net/american_psychological_association_2020_6th_edition.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/1a0951ac-793e-45db-8022-2b5ee8d4ad4f/fuvuvovaverojevuxotalape.pdf
- https://s3.amazonaws.com/fasomusogapovi/2006_dodge_stratus_sxt_v6_specs.pdf
- http://lumalidik.atwebpages.com/athletics_events.pdf
- https://69a21580-3c80-4f81-8097-1ec0bc18215d.filesusr.com/ugd/bd7df1_e460063a1c8b43fa94797dc60e2145cd.pdf?index=true
- http://zakuvusebaj.epizy.com/56426038188.pdf
- https://uploads.strikinglycdn.com/files/ea2d507e-1951-4caa-af14-bb257ab911e8/sasixexowofana.pdf
- http://bigapenegig.atwebpages.com/degix.pdf
- https://uploads.strikinglycdn.com/files/5952bad3-19d7-4936-aa43-be2ab27f3b44/vewavuruvuwukagesif.pdf
- https://bc13a564-db4d-4abe-bba9-081b1c4085ef.filesusr.com/ugd/d5ec75_761be809403f481ea2cdd324b214502c.pdf?index=true
- https://s3.amazonaws.com/wujixus/48254704537.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e7cb.bin` `fd2897fa561de58a6433acf93bd4e0d291151cd9d21f2c1084c891e36f145d33`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE7CB	5480 bytes
`font_01_sfnt_off0000fa7f.bin` `64506eddbfcc837c4ad636a270182b6d4d2793144a01a702e8032cbeb25cf276`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFA7F	11756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.