PDF malware analysis — malicious · f8bf9075b22ee134

MALICIOUS

PDF

113.1 KB Created: 2021-07-24 01:24:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13

MD5: 13b1aee7368ef8b24d2a0e89e0996834 SHA-1: cdb4b1354f92c874a5b16cee68780b7a7daee8cb SHA-256: f8bf9075b22ee134e6875e99e6f52ec3ff1feeccfefa3f18a39e2ad37e03d627

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file was detected by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier flagged it with high confidence. The presence of embedded URLs and heuristic firings related to external URIs and urgency lures suggest a phishing attempt. Although the document body is heavily obfuscated, the overall findings point to a malicious PDF.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/-MXWpcYQ7kA/square?utm_term=call+of+duty+black+ghost+cheats+ps3 PDF link annotation
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ede832017ec663b53d677c/1626204210154/how_to_print_web_page_as.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f53a769c57c2493951c8c4/1626684022238/78902628053.pdfIn PDF document text
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f36447952f835132d61629/1626563655929/maryland_driving_test_answers.pdfIn PDF document text
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e8d0b09ff65824183286c2/1625870512802/yle_movers_speaking_sample_papers.pdfIn PDF document text
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e95d63c91b61347ea552ac/1625906531732/bomeguzixaxifibux.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f64ef09c09b97e4fbc37f0/1626754800323/lipolokepitomu.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60fa198ceb3ca128f6f659ac/1627003276627/roasted_fennel_and_carrots.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f0bf08f32be22f0070af19/1626390280670/attorney_general_cover_letter.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e8fa4a2c5c2f6215c767fd/1625881162652/constitution_of_england.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60fb400722c5ce2ebd92b762/1627078663457/zisebuvukilega.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60fb33c0fdaf7a1dc9d23987/1627075520973/where_can_i_download_microsoft_word.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f956174d80571ef0f84a82/1626953239943/biladojixuzojemanegizuwe.pdfIn PDF document text
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60fb383fb2b22e0b7542aeaf/1627076671114/32595957897.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f8e6fce6d4d36da3a545d4/1626924796151/rofewudelifewumonu.pdfIn PDF document text
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e84aa62f85bf4fcbe83736/1625836198772/butterfly_in_shades_of_grey.pdfIn PDF document text
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60fb32b9fdaf7a1dc9d22376/1627075257925/fundamentals_of_business_process_management_test_bank.pdfIn PDF document text
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60f00efe0dea5e4896bdc13d/1626345214626/26861310257.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f15cd0d1fa142bceb1fd36/1626430672945/31169336122.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001569b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1569B	11252 bytes
SHA-256: `ba7e3c78d8fc94eab24ff66722941e13875e00d1bde0a352654069ab7e7329c8`
`font_01_sfnt_off000170e2.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x170E2	17532 bytes
SHA-256: `2a3017faa26b931a9e261cb9233995ea9bb91cc4634454e85133b55d37de20c9`
`font_02_sfnt_off00019eb5.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x19EB5	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.