PDF malware analysis — malicious · f5d1cf5be9281dfe

MALICIOUS

PDF

83.7 KB Created: 2021-06-08 11:36:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25

MD5: a10f811c932dad88f0674482e99d3b24 SHA-1: 50040ddaec310a21f43a66e819a77d25b84c9252 SHA-256: f5d1cf5be9281dfe09b06994b8aa9e0c8745cadacb3131970f1c581bf132acdb

96 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.9954

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://synerhu.ru/pbw?utm_term=actividades+de+lectura+para+ni%25C3%25B1os+con+autismo PDF link annotation
- https://cdn-cms.f-static.net/uploads/4378406/normal_60520dd972d06.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4488332/normal_600576522367b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4444655/normal_5fcef5865a2c3.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4389616/normal_600ef63c77dba.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4449788/normal_60519b75823a6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4420250/normal_60beaea08729a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4453721/normal_60657c3f499cb.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4497646/normal_5fe3de8137562.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4469834/normal_600ab2fcd6cb3.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4365601/normal_60b124d7bc154.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4485699/normal_602dfff82fb3a.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4487413/normal_5fddc160a2731.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/78160a82-de04-48e2-b3f1-4f8f14a7febd/what_do_you_mean_by_desktop_background.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a35d4c3a-848a-4064-8d0f-84590316f1bd/99208295038.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/21b7f974-90c3-4f1c-a9f7-6b259f223d97/silent_letters_in_english_language.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f520b16c-98c9-4a04-9070-ee01290e0599/stanley_fatmax_j7cs_portable_power_station_jump_starter_reviews.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a0829547-cbef-4389-9809-1639e3f9d060/english_bulldog_puppies_for_sale_near_me_under_300.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2d7dad97-ae1f-420b-86c4-6e02640e7994/juxumebu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1206b916-5d04-485c-a442-5a041939f8ed/16_fundamental_truths_of_the_assemblies_of_god_tagalog.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ab527267-3f0a-4f81-95d2-668b7afe44a1/neet_biology_mcq_chapter_wise_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/040c4c5c-46ca-44e9-afb5-80622f381c10/winters_bone_streaming_australia.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e0957504-32a5-424c-ba3f-df2eb3b2cc87/graco_metrolite_stroller_compatible_car_seats.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/43c8b0a8-b4ad-4be2-9688-9badd485246f/jegixelixazomejug.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/29d04a95-5aa3-4184-a589-e2f68614b459/can_you_keep_a_secret_nightcore.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e0f527cf-055b-4ad4-8cf7-cf8e821bb6ce/gre_big_book_vocabulary.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/271b30f6-1df3-472a-9deb-1adcc68da5ad/60723063835.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f61f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF61F	5360 bytes
SHA-256: `c43d7fe2c5ccc7fb0a5b5ce73f1dfdb86921cb8121d181a7906866e06907b8b3`
`font_01_sfnt_off000107f3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x107F3	12772 bytes
SHA-256: `689012dcd562fffdf7914533fc340b44eed26c9f57655fc125f620b2e4b0c949`
`font_02_sfnt_off00013006.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13006	4324 bytes
SHA-256: `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`

Open this report in the interactive analyzer, or submit your own file for analysis.