PDF malware analysis — malicious · f155e15bcf8afdde

MALICIOUS

PDF

75.1 KB Created: 2021-06-13 13:41:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 39e90bbc8ba3a695cf926faa5628e441 SHA-1: 6f382ee9035b0ffe7f33c8f7912c4b94adee5fec SHA-256: f155e15bcf8afdde91b9f005610366b4813477de46c975a52293a18d6709ea9e

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, with a high risk score. It contains multiple embedded URLs, some of which are hosted on suspicious domains and are likely part of a phishing or malware distribution scheme. No scripts were extracted, but the presence of embedded URLs suggests an attempt to redirect the user to a malicious site.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://static.s123-cdn-static.com/uploads/4366384/normal_5fff39a763da7.pdf
- https://giwafadewixagi.weebly.com/uploads/1/3/4/3/134369241/c18055001c63af.pdf
- https://putomusozozor.weebly.com/uploads/1/3/4/3/134321488/soginixutota.pdf
- https://cdn-cms.f-static.net/uploads/4474979/normal_60543f84c7cf1.pdf
- https://safopuxe.weebly.com/uploads/1/3/4/8/134893808/xofasafelatateb_peron_jewefebagul.pdf
- https://figiroxofidun.weebly.com/uploads/1/3/0/7/130740151/mawemijazu.pdf
- https://static.s123-cdn-static.com/uploads/4444853/normal_5fc6cd6624f96.pdf
- https://cdn-cms.f-static.net/uploads/4456387/normal_602d4493627f0.pdf
- https://cdn-cms.f-static.net/uploads/4414486/normal_601ddbcf6986f.pdf
- https://mobasukirogejus.weebly.com/uploads/1/3/1/4/131453019/wivovogiri.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://feedproxy.google.com/~r/wb/ENAH/~3/dN4lCoxrs6M/wb?keyword=hoover%20windtunnel%203%20pro%20deluxe%20review
- http://nuxawakaxaz.pbworks.com/f/how_to_get_kenwood_stereo_out_of_protect_mode.pdf
- http://tujedet.pbworks.com/f/free_spins_coin_master_2020_generator.pdf
- https://uploads.strikinglycdn.com/files/ea468b5c-d871-444f-a48d-6a6ea2323ead/lapojeb.pdf
- http://finatin.pbworks.com/w/file/fetch/144489462/jilitufubatevazofu.pdf
- https://uploads.strikinglycdn.com/files/33bbb7f3-13a2-4b97-937e-b4fe7aa80e46/salobisotukukeruram.pdf
- https://uploads.strikinglycdn.com/files/93c3b36f-c9d8-4d26-bac4-87b907c1795a/54822238389.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e913.bin` `f862242577f420c1eb74536ccc5e68910584210560097bab9734dc7c2d7925ec`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE913	4912 bytes
`font_01_sfnt_off0000f9f2.bin` `83d48fad8093642dd3e64f7ce2c5422396a7ee4da7964619429a425a2852fbcf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF9F2	10484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.