PDF malware analysis — malicious · dadc3ab6107afbb7

MALICIOUS

PDF

69.7 KB Created: 2021-01-06 02:48:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d61ae2ac86f9e5f7246f3ac663ecbda6 SHA-1: 79f65a01b1e3463190ca449cd77fa31d7499f01a SHA-256: dadc3ab6107afbb708b94e08393f8f8571056c5179d1229083ceadb47528c331

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'https://trafficel.ru/aws?utm_term=sadraey+aircraft+design+pdf', which is likely used to deliver a secondary payload or conduct phishing. The document body is heavily obfuscated, but the presence of the malicious URL and the overall detection verdict strongly suggest a phishing or malware distribution attack.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafficel.ru/aws?utm_term=sadraey+aircraft+design+pdf
- https://cdn.sqhk.co/tororukiwuri/Cjdjeid/fofuvokazutugogiwetuta.pdf
- https://cdn-cms.f-static.net/uploads/4496193/normal_5fbb262aed766.pdf
- https://static.s123-cdn-static.com/uploads/4418180/normal_5fccf1c20df68.pdf
- https://cdn-cms.f-static.net/uploads/4393029/normal_5fb5220a88f61.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/piwupevivotixi/mejorimenezarote.pdf
- https://uploads.strikinglycdn.com/files/a5c9acef-5895-4210-bf9d-ff7985f81bb8/nick_chubb_contract_extension.pdf
- https://uploads.strikinglycdn.com/files/7ade1e58-295c-4079-84a1-0214347dfcd8/22221506814.pdf
- https://s3.amazonaws.com/nefagolom/pharrell_tattoos_removed.pdf
- https://uploads.strikinglycdn.com/files/db79c721-a313-45a6-8b81-2755e32e7cb5/playit_apk_for_windows.pdf
- https://s3.amazonaws.com/zinudipir/danielson_domain_4.pdf
- https://s3.amazonaws.com/wujodibu/67426412689.pdf
- https://uploads.strikinglycdn.com/files/b35793df-3009-4acd-a9b0-0eb852295b74/ravelry_knit_chevron_baby_blanket.pdf
- https://uploads.strikinglycdn.com/files/2569b3bd-7b3c-4901-93e3-a0db9fdaac2d/38236706461.pdf
- https://uploads.strikinglycdn.com/files/fa7f3f03-5fb6-4f73-b038-68f0bc9c4bb2/free_friv_games_to_play_now.pdf
- https://s3.amazonaws.com/numunenoji/26353057528.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d17b.bin` `7b548e76f4d84895e27c2c39b6675719e95197f89233568b1dd0a78395c49ae0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD17B	5496 bytes
`font_01_sfnt_off0000e44b.bin` `094655660633d6d4af1e44a52f336982c105a3b5507660a813d2734584979690`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE44B	11296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.