PDF malware analysis — malicious · e0f2a03130099b0b

MALICIOUS

PDF

113.6 KB Created: 2020-12-31 01:07:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b85838bb0505c2e34489df5d1bdff422 SHA-1: d5934078e2bf3bfd823ed2a7dd0052f4ad69cf7f SHA-256: e0f2a03130099b0bd7115620eae9f981ffe4651a7df5ee105bb1fc2c8895ea71

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URL and document body suggest a lure for downloading an application, possibly related to game modifications. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing or malware distribution attempt, likely delivered as a spearphishing attachment.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffking.ru/strik?utm_term=world+conqueror+1945+unlimited+money+apk+unlimited+everything
- https://cdn.sqhk.co/mewidexe/hi2rQid/cash_app_login_online_account.pdf
- https://static.s123-cdn-static.com/uploads/4452608/normal_5fcbeb39b58e0.pdf
- https://cdn-cms.f-static.net/uploads/4403422/normal_5fe921413fe89.pdf
- https://cdn.sqhk.co/xizowabik/gjjh4Po/mujas.pdf
- https://cdn.sqhk.co/tifesiwafo/pgi2Hnz/police_officer_jobs_in_florida_non_certified.pdf
- https://cdn-cms.f-static.net/uploads/4463807/normal_5fd6524e86892.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/be976f00-1859-42b7-a98f-df2687239d25/cesky_terrier_breeders_australia.pdf
- https://uploads.strikinglycdn.com/files/86ec42d8-8b5f-4d44-98c4-6059bbf482c0/cambridge_primary_mathematics_challenge_2.pdf
- https://uploads.strikinglycdn.com/files/8f95572b-1a4e-4aa5-add6-1264e1834f2f/9080804115.pdf
- https://uploads.strikinglycdn.com/files/5e638a7d-936b-40b1-a281-1cc542a2af0e/minecraft_1.7.5_download.pdf
- https://uploads.strikinglycdn.com/files/9ed0007f-3c73-4cea-abc0-890a6482e104/hand_crank_usb_charger.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00017df9.bin` `93cc1fe7d8e1ce6a5a2fb8b66518d234534f698cbde19055fd8e91ce6ede10d3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17DF9	6092 bytes
`font_01_sfnt_off000192ab.bin` `c505e32fd69ae113d5b7636b072268f8e42373e7722c6dfcf2314e7ecb17d706`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x192AB	11460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.