PDF malware analysis — malicious · f7698a7c1610ca58

MALICIOUS

PDF

84.0 KB Created: 2021-01-23 13:01:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 84d4134780ed963781c5fa5e740e23be SHA-1: eafa72948acca267f7e209c070fff456161b7b0b SHA-256: f7698a7c1610ca581006ee98abcb52cb369fe48ecaafab7677b53e6526c65c02

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. An external URI pointing to 'baarspo.ru' was extracted, suggesting a phishing or malware distribution attempt. Although no scripts were directly extracted, the PDF structure and the presence of an external URL indicate it's designed to lead the user to a malicious resource.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://baarspo.ru/aws?utm_term=android+change+hamburger+icon+programmatically
- https://site-1175201.mozfiles.com/files/1175201/81971797878.pdf
- https://static.s123-cdn-static.com/uploads/4388183/normal_5ff3c3d007175.pdf
- https://cdn.sqhk.co/devisofage/Hdhdkjf/12315648419.pdf
- https://cdn.sqhk.co/ruxukulalodi/jj0btih/jatuwugesekomerar.pdf
- https://cdn.sqhk.co/rukugewul/wJgJ6ie/pocket_rocket_camp_stove_review.pdf
- https://site-1174307.mozfiles.com/files/1174307/viggle_app_crashing.pdf
- https://cdn.sqhk.co/pulizojiwim/gjcgi2B/local_weather_radar_real_time.pdf
- https://cdn.sqhk.co/vipujitebiki/e7igehg/q_twins_ft_tira_hamba_mp4.pdf
- https://static.s123-cdn-static.com/uploads/4413718/normal_5ff292316e3a0.pdf
- https://site-1234129.mozfiles.com/files/1234129/wegetig.pdf
- https://static.s123-cdn-static.com/uploads/4381735/normal_5fe4e6ed4b55b.pdf
- https://site-1194826.mozfiles.com/files/1194826/formaldehyde_keratin_treatment_side_effects.pdf
- https://site-1175150.mozfiles.com/files/1175150/loruxo.pdf
- https://static.s123-cdn-static.com/uploads/4385422/normal_5ff198125074b.pdf
- https://site-1176201.mozfiles.com/files/1176201/first_grade_math_worksheets_subtraction.pdf
- https://cdn.sqhk.co/putizimetiwe/abgjmge/espn_nba_scores_celtics.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000106f4.bin` `052eb777faa5ded85492f6cf9b847f0ce3857f49d6903e0a62126b54e3c55b99`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x106F4	5540 bytes
`font_01_sfnt_off000119a5.bin` `5fca0dbbecb48ae8f5089579d18a57b1fa6b3c6334831129390a2f6f1a2f210a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x119A5	12508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.