PDF malware analysis — malicious · dea17263d2a0fbc1

MALICIOUS

PDF

83.1 KB Created: 2021-05-21 05:03:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-23

MD5: d1351040f28bdf99d09011c09645d140 SHA-1: 47a0a10fd7799c27109b33fe4f2c7bd8f8a9f586 SHA-256: dea17263d2a0fbc158bde7694465fbbd7b1b3bb12cb88c0287f9e3033ca4a2c5

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an embedded URL that directs users to a suspicious domain, likely for a phishing or malware download attempt. The document body, though heavily obfuscated, appears to be a lure related to a piano piece, aligning with the embedded URL's query parameter.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xezojetit.ru/strik?utm_term=vivaldi+four+seasons+piano+pdf PDF link annotation
- https://cdn-cms.f-static.net/uploads/4365653/normal_5fe85631381d2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4445343/normal_60107fe816562.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4412900/normal_6006a243c3eaf.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/rogugagatuf/pumekemajujeg.pdfIn PDF document text
- https://s3.amazonaws.com/fifuto/what_is_the_easiest_audio_recording_software_to_use.pdfIn PDF document text
- https://s3.amazonaws.com/pewebopufupe/47240564623.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3d236f70-81bf-40ae-bca8-99258a749a42/how_to_find_instantaneous_velocity_calculus.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/67d38b2c-17e4-469f-a538-3d29aa5f9796/6733240575.pdfIn PDF document text
- https://s3.amazonaws.com/kujapomib/15240009543.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a54e6362-0f62-44bf-88de-c0421aa27eef/wabigilejiwup.pdfIn PDF document text
- https://s3.amazonaws.com/jobavo/sigufepomugize.pdfIn PDF document text
- https://s3.amazonaws.com/fajeloninesitel/information_technology_hr_interview_questions_and_answers.pdfIn PDF document text
- https://s3.amazonaws.com/solonebosop/xajupizilivud.pdfIn PDF document text
- https://s3.amazonaws.com/popisiburewixuj/monitor_cardiaco_garmin_fenix3.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6ee31a06-f7b9-40e9-ac4a-0e46f2de7861/xirunivu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4157c150-407c-481f-bb33-a34c91c325db/which_is_better_single_phase_or_three_phase_motor.pdfIn PDF document text
- https://s3.amazonaws.com/gixawetopoli/how_to_evaluate_messages_and_images.pdfIn PDF document text
- https://s3.amazonaws.com/dudurat/nonotaxibajipatulifazuseg.pdfIn PDF document text
- https://s3.amazonaws.com/minaxigevani/good_apps_to_listen_to_music_offline_for_free.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/50f10c7a-6f61-4cf0-8f20-7668bdadca72/mbo_folder_repair.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2ad01f0f-caaa-46e8-a228-1c945a481b6a/nomixozimawuginomureka.pdfIn PDF document text
- https://s3.amazonaws.com/bitajemisajoz/domestic_violence_book.pdfIn PDF document text
- https://s3.amazonaws.com/tikofaketonub/wegmans_catering_menu.pdfIn PDF document text
- https://s3.amazonaws.com/zolerazowubow/ar_er_ir_verb_conjugation_worksheets.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/16ed3617-882b-40a5-9df9-bd54bf68ceb3/vintage_cars_for_sale_las_vegas.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010448.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10448	5060 bytes
SHA-256: `9a3fb1e14db99252179660ab92da4a2c921ed3a4e05d2070a96fe2be61a8035d`
`font_01_sfnt_off0001159a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1159A	13356 bytes
SHA-256: `4a451c5ab4e54cebdd094add1ab5419cc92fe8504cd1fc2f2dc358e5e5db5f26`

Open this report in the interactive analyzer, or submit your own file for analysis.