PDF malware analysis — malicious · 0f80022a80ac02e2

MALICIOUS

PDF

81.9 KB Created: 2021-07-13 19:42:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: db22366526f3e4dd02c3fabca50fdcdd SHA-1: 630b7c96c61b48eb216939a57e9a18270951990a SHA-256: 0f80022a80ac02e2a4e5612ab932cf3fc00664430593d1d0af6d16b6b64bbff3

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF was flagged by a machine learning classifier and ClamAV as malicious, with a high risk score. The presence of embedded URLs suggests an attempt to redirect the user to malicious content or phishing pages. Although no scripts were explicitly extracted, the nature of PDF malware often involves exploiting vulnerabilities or embedding malicious JavaScript.

Machine Learning

Nyx PDF Classifier malicious score 0.9473

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/0YvHz_IItD0/square?utm_term=2+cm+and+50+effaced
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ec8557fe047727940be207/1626113367403/rofopeniroregawi.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e90f5f320dbd0de28069e0/1625886559798/94496536972.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e8cbacc30d520a4451261a/1625869228231/69305187616.pdf
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e926798ce0e10532d2e23f/1625892474005/merge_multiple_files_into_one.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e7b0afd0799e4214be4605/1625796783401/xasivubabijaros.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e8ca08351081123f7c2c6e/1625868808300/kovanadabikal.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60eca2d511a746407a44486d/1626120918007/repetition_of_f.pdf
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ec98fdc81c37306b30a911/1626118397970/nail_shop_on_47th_and_damen.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000df31.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDF31	16792 bytes
`font_01_sfnt_off0000f748.bin` `7f22ab672d10dd60e3f7d1f2882e0fed72f890892bc8c25d7a861244606de89c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF748	10292 bytes
`font_02_sfnt_off00010e88.bin` `8f2d30509b1f7edac67ac9e87a46e98ffdcea414880c53fcd76a9d44fd2e8d38`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10E88	17276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.