Malicious PDF — malware analysis report

Static analysis result for SHA-256 052511b375a7ed45…

MALICIOUS

PDF

80.0 KB Created: 2021-07-14 01:23:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 3bd97f632608e84d796da89494312aa0 SHA-1: 5c7f97d991698226cc44469738178a28511e5b19 SHA-256: 052511b375a7ed45cf94edbab8b0480b6b498b68c21f952141453ef474a577a4
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected by ClamAV as Pdf.Phishing.Trojan, indicating malicious intent. It contains embedded URLs, though the primary ones appear benign. The PDF structure itself shows signs of manipulation with duplicate object bodies, suggesting an attempt to evade detection or embed malicious content. The primary attack vector is likely through exploiting a vulnerability within the PDF reader to execute code, hence the classification as Exploitation for Client Execution.

Machine Learning

  • Nyx PDF Classifier clean score 0.1454

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/ZFaGRQ6RLlg/square?utm_term=muscles+of+the+upper+and+lower+limbs
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e91eb78ce0e10532d2ae80/1625890488041/wake_up_forms_of_verb.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ee06c5e83f616bcf873626/1626212037032/kifamekuf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d6ac.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6AC 16792 bytes
font_01_sfnt_off0000eec3.bin
d77589b4957d1846b8312e12a86a1b3dc314e87365bd0267e12e6c42f04df970		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEEC3 11204 bytes
font_02_sfnt_off0001089f.bin
d4888aba607a89f80fcf8317d6f173aa6118c00dd3fb882476a1cbf07aa70a77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1089F 17032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.