PDF malware analysis — malicious · e171f20ec43866cb

MALICIOUS

PDF

75.1 KB Created: 2020-11-11 02:37:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 77848b15df2eb6aa07cbe813b0b7e759 SHA-1: 1c82ae3853bedd72906ed2968d0d6c7e0c660ab9 SHA-256: e171f20ec43866cbbfbc18ed53b10b3f47602f5e27e9a9a979a3a7d6b0da0487

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain. The ML classifier and ClamAV detection strongly indicate maliciousness. The presence of an embedded URL suggests an attempt to redirect the user to a malicious site, likely for phishing or to download a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffine.ru/aws?keyword=gravity+feed+or+siphon+feed+airbrush
- https://cdn-cms.f-static.net/uploads/4443814/normal_5fa64b5c92574.pdf
- https://cdn-cms.f-static.net/uploads/4417983/normal_5f9b5bd6e673a.pdf
- https://cdn-cms.f-static.net/uploads/4393521/normal_5fa04676e1fa6.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/97260253-a5bb-4a6c-a5b8-412028e0f427/sidutugukifinat.pdf
- https://uploads.strikinglycdn.com/files/9aaf045e-b590-43a8-88dd-49fe27d6cfdb/50214763537.pdf
- https://uploads.strikinglycdn.com/files/24b895fd-2918-44eb-b514-3466cd3997f6/10880655236.pdf
- https://uploads.strikinglycdn.com/files/25729ba4-1928-496f-92e7-34d9c8233114/12099620173.pdf
- https://uploads.strikinglycdn.com/files/1841b131-023a-4c58-bd60-5e76a2cc5376/thor_appliances_yelp.pdf
- https://uploads.strikinglycdn.com/files/7537ac04-d554-4b3a-b29b-22bb94767361/palaxakovosisizizo.pdf
- https://s3.amazonaws.com/pazifetanegapu/phytophthora_parasitica.pdf
- https://s3.amazonaws.com/memul/princess_diana_biography.pdf
- https://uploads.strikinglycdn.com/files/73ac9f6b-66e6-42b5-8601-7cef5af4277c/prime_natural_cbd_oil_300mg.pdf
- https://uploads.strikinglycdn.com/files/11d3c1c0-e2b1-4f2a-a674-605c5eb67b66/43921357159.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://www.geocities.com/mitra_anirban/hobbies.htmGNU
- http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000dd30.bin` `ad3f14b6c63268063cbcabf82613b58cb795df2713b03632f83ced69bae72971`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDD30	5432 bytes
`font_01_sfnt_off0000efad.bin` `b91f3c26f37c28538ed09035cbea6f9221827f1e30b50c452f08cc820bcc167b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEFAD	3720 bytes
`font_02_sfnt_off0000fb10.bin` `f29febd89b2a1a0430e1c5510789d2df6d8a04a6450a0dc25cabf52fc2bdd478`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFB10	10292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.