PDF malware analysis — malicious · eb0992425925c1ca

MALICIOUS

PDF

67.0 KB Created: 2021-03-22 04:14:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9b2d1b75be9a38249ca47f5ab92a106f SHA-1: 14455e7a1ca1faa39a0a11b140b9ffc2b1b7cc2a SHA-256: eb0992425925c1ca0a8e073cf694e6a96cf810bf1363241a7040f6da6660d169

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The embedded URL points to a suspicious domain, likely serving as a lure for phishing or to download further malicious content. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create malicious PDFs.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://vilenefex.ru/123?utm_term=chale+aana+female+ringtone++pagalworld
- https://static.s123-cdn-static.com/uploads/4412570/normal_5ffabdb0b75cc.pdf
- https://cdn-cms.f-static.net/uploads/4368222/normal_5fe612590a00a.pdf
- http://plafond.xyz/jivupigofibotuzamimewz4upk.pdf
- http://trastqort.online/basf_se_financial_report9w1a1.pdf
- http://lomipojiposo.iblogger.org/58403444842.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://nasuxenabo.epizy.com/ginoperonapa.pdf
- https://034618a9-9b39-4f41-ad18-95bca1d1c80b.filesusr.com/ugd/48d9a1_ea032d4afdd04223a006256c36840725.pdf?index=true
- https://f8d4b294-f952-4a11-85e8-0a3036f9bdaf.filesusr.com/ugd/ad8f3a_eaefd721c83f46d59f33146f099b985d.pdf?index=true
- https://e6c529cc-411f-4195-b5ea-7b5fd081490a.filesusr.com/ugd/b7ab08_1844e8c900d24a03b49e3454dde34bde.pdf?index=true
- https://a0f1d9c0-ea46-4e0e-9383-d87711d3127f.filesusr.com/ugd/1e3fb7_68c243685e3d49129b832e48907b16ca.pdf?index=true
- https://8bd0dbf5-62e0-4684-a95a-1d9666dfa34a.filesusr.com/ugd/e71694_e591aa1d53604f4e958215b45511a9f1.pdf?index=true
- https://s3.amazonaws.com/tazopaju/82908328991.pdf
- https://s3.amazonaws.com/bomifabipi/57000939405.pdf
- https://37e79482-e567-4eff-b449-6ea9b90d4679.filesusr.com/ugd/cff0cd_cbdd5bb6fe664ef5b0250f6f5615674f.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c8a4.bin` `8f978b4e521d37a71d6c828703799247ee87047995d261cf12c41410a110ee10`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC8A4	5272 bytes
`font_01_sfnt_off0000da79.bin` `ac260287b065f459ca119e6610ed365c90a631a78d4a6212b4ff2649b74041e2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDA79	10628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.