PDF malware analysis — malicious · f91c831a13acf7b6

MALICIOUS

PDF

74.5 KB Created: 2021-05-20 23:48:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22

MD5: 7a3e76ba0f1f9596dfaabd9a760ce3af SHA-1: 824176d0a664796bdafcc38572216895dfe37d0a SHA-256: f91c831a13acf7b61357ff6cfe1b21ddbe9cb06497c28b1d11699b3ffd7eb231

116 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses a callback-phone (TOAD) lure. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://dafemum.ru/strik?utm_term=polaroid+40+inch+fhd+led+tv+manual PDF link annotation
- https://static.s123-cdn-static.com/uploads/4464734/normal_5ff4c583e2a56.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367289/normal_5fe9947cef6b5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4418170/normal_5fd7e46fa4575.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/f4eb1f1e-4263-4556-81ac-408832ae593e/xevuzimawep.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0c63ea7f-461b-4126-8043-2490fb86a597/dodukuvizopapuranifede.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ab6e7663-5589-489a-ac72-0fd0b2fafe89/xixamuloxabitinodeviduwos.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/06661987-bf4a-4164-9db4-64d0fa5aaf00/vurakatubegemilulub.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/71cbad96-cd6a-49df-8f69-2b96d47824c9/walmart_black_friday_88.00_tv_deals.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/643ca4cc-e3b0-4056-b1e1-921d7f675253/16604128509.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9f6ef721-04fc-4198-b08d-6cff30a85919/gizamo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a1a113a0-079a-4480-8e12-32a2d4f49530/guess_brand_logos_level_28.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/30367a44-a714-4b3b-a161-d2f37e757393/ge_monogram_fridge_ice_maker_not_working.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/77f54807-8e67-4e05-86fc-8c5617dcb958/what_is_the_electromagnetic_field_theory.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cfadb623-24f5-4291-813a-6c201fa53e4d/how_to_replace_kenmore_oven_control_board.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7e02ccb2-6b6a-4d15-9586-05cc193ea14c/15229670740.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4f363fdb-720c-4139-b7d7-7b8e7eb618e5/93957642339.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2aaa7179-66b8-4dad-bf43-469951c179b9/60121582881.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1467876c-6524-4ee6-99be-b73dc4d7c69e/kinidulomopakevoxewexis.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/99a53368-aec2-41c2-9abf-512a960daa1d/weider_pro_9940_home_gym_for_sale.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e5d4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE5D4	5372 bytes
SHA-256: `fbe1400332fc8b30990a264fbecc6e433b34f3afc68fd025ee773a06ff5b475a`
`font_01_sfnt_off0000f802.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF802	10772 bytes
SHA-256: `beb040f4bc27cf16d5220a477fe85b81af15eb5b2cc709bb2c3c387913e8dec6`

Open this report in the interactive analyzer, or submit your own file for analysis.