PDF malware analysis — malicious · fd3f63b11b8a662a

MALICIOUS

PDF

75.5 KB Created: 2021-02-26 23:43:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c02050b40e9b558febb2734153df9e64 SHA-1: 14ec58eaff73a76749a80ffdcbc5db5c41640f8a SHA-256: fd3f63b11b8a662a8605b51135dc8bdf3705c4f29d42c6bc819c09a9bb829dbd

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by a ML classifier and ClamAV, with a high risk score. It contains an external URI pointing to a suspicious domain, likely for downloading a payload. The presence of a 'download button' heuristic further supports the lure-based attack pattern. No scripts were extracted, limiting the analysis of specific execution methods.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://pelibifir.ru/123?utm_term=counter+strike+1.6+cd+key+generator+free+download
- http://zuzorovix.scienceontheweb.net/best_location_for_antenna_amplifier.pdf
- http://zobebukore.22web.org/57766628282.pdf
- http://vugijow.iblogger.org/is_the_gillette_fusion_proglide_styler_waterproof.pdf
- http://bebarupeludif.22web.org/i_am_poem_lesson_plan_4th_grade.pdf
- http://kakasusalulul.iblogger.org/how_to_use_schumacher_15a_battery_charger.pdf
- http://bixaxivajujojar.mypressonline.com/how_much_does_a_ps3_controller_cost_at_walmart.pdf
- http://ruseseru.iblogger.org/dejeruguxusavegasul.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/fuwuzerijofa/57033433267.pdf
- http://zusewijoje.epizy.com/allahabad_state_university_exam_date_sheet_2019.pdf
- http://pivimufe.atwebpages.com/jutinexowub.pdf
- http://vimodamugirad.rf.gd/dejosinotatovafemutonefab.pdf
- https://s3.amazonaws.com/kexamoxusinixu/sik_world_broken_wings_mp4.pdf
- https://s3.amazonaws.com/savifin/bubble_shooter_apk_indir_android_oyun_club.pdf
- http://pikubub.onlinewebshop.net/57303328227.pdf
- https://s3.amazonaws.com/sefiwegegagu/classroom_rules_activity_sheet.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000dfd6.bin` `b8e0ccce3dbd5165f88469e8e337995026728f90b89a779a9f6f84425df329f4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDFD6	5588 bytes
`font_01_sfnt_off0000f314.bin` `c3a7a7c6ae85ce8645bcf31ca75584ae65c680fdfafafe252874cd6a7e3a0382`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF314	14900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.