PDF malware analysis — malicious · e36add00ab8b26a0

MALICIOUS

PDF

83.8 KB Created: 2021-04-04 12:08:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7ca50f9fbfd371738a82204724fa51d4 SHA-1: d9979b597621ee5314b2b10586ffd8571b9d7433 SHA-256: e36add00ab8b26a0d7d3cc3e405a50d1a96fc1fe08feb48604eace8f80097045

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'druttle.ru', which is suspicious. The document body, though heavily obfuscated, references 'Final Fantasy 12 mods', likely a lure to entice users to interact with the malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://druttle.ru/wix?keyword=final+fantasy+12+mods
- https://static.s123-cdn-static.com/uploads/4460072/normal_5feb2be1b5cf9.pdf
- https://static.s123-cdn-static.com/uploads/4455642/normal_5fee37eb257d8.pdf
- http://xulubapatoso.scienceontheweb.net/50137496676.pdf
- http://complect-tech.ru/51764205832jkpa1.pdf
- http://idslim-italia.site/62091975514lure3.pdf
- http://boomerangoo.site/filukitubawziinl.pdf
- http://leree6.club/5931685622sulti.pdf
- http://lezeninimi.medianewsonline.com/jujigesidurezimuzijipa.pdf
- https://static.s123-cdn-static.com/uploads/4455183/normal_5ff2baed532c8.pdf
- http://reawolt.online/how_to_get_yeti_microphone_to_workxe1nl.pdf
- http://reduslimitaly-ufficiale.website/consider_the_differential_equation_dy_dxy-12cospix6x56e.pdf
- https://cdn-cms.f-static.net/uploads/4471488/normal_60401ac849757.pdf
- http://dsv-trening.ru/rogudozulurix8hr9c.pdf
- http://gabojodidi.iblogger.org/classical_sociological_theory_book.pdf
- https://static.s123-cdn-static.com/uploads/4443819/normal_6005fea83d996.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://zegemipufe.epizy.com/whatsapp_free_video_songs.pdf
- http://femejedad.epizy.com/wepifemejup.pdf
- https://s3.amazonaws.com/suxugipipolazog/95763198653.pdf
- http://mosebokolerer.epizy.com/88585292528.pdf
- https://s3.amazonaws.com/lorifawuvawot/how_to_take_apart_bissell_little_green_brush_head.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000108f7.bin` `04d080d3fe93703442cba6b56527614a817fc093c58feb401be7349eb01c858a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x108F7	5196 bytes
`font_01_sfnt_off00011aab.bin` `0ed279f410a4875779d3c67bb83b92b48c5d96ad4541bf23094072594c4ead83`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11AAB	11540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.