Malicious PDF — malware analysis report

Static analysis result for SHA-256 0af5e634965b3a21…

MALICIOUS

PDF

80.2 KB Created: 2021-07-16 03:52:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: c130b16cbffb6e03208b9447f055e1b3 SHA-1: d128a79e6b65d58019d216bfdf1a4487b8f2f194 SHA-256: 0af5e634965b3a216a54c2eae7860636a2e5db0765bb051308b4a0357fda5f12
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a signature indicating phishing and trojan activity. It contains an embedded URL that, while flagged as benign, is part of a pattern often used to redirect users to malicious sites. The PDF structure and embedded objects suggest it's designed to exploit vulnerabilities or deliver further payloads, though no specific script execution was directly observed.

Machine Learning

  • Nyx PDF Classifier clean score 0.1658

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/CcIy6vlvkUk/square?utm_term=make+your+own+minecraft+multiplayer+server+free
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60effe9e24fa75375d84e0ad/1626341022203/lixozo.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e89853f2156916d3ffdefb/1625856083711/zajulufadatowetulu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d495.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD495 16792 bytes
font_01_sfnt_off0000eca7.bin
5b291a64f67aafa3a0256bc6e8589e936841df14d97d1fdd5c0a9fd382d5c5ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECA7 17076 bytes
font_02_sfnt_off0001192f.bin
3ba0ef571d424227dc99976d40f9e51290bd6cee105b89170f206bdac5f9c357		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1192F 11092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.