Malicious PDF — malware analysis report

Static analysis result for SHA-256 1044a14c7d68f203…

MALICIOUS

PDF

84.0 KB Created: 2021-07-22 02:04:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: d0cad79640afbb6c4ba4550b8f446ef7 SHA-1: fadf538ae983437b12d962db587dd03a957afa35 SHA-256: 1044a14c7d68f2037f91e40cf575a0be8cf6f37582483a3c4f470b273a4819f3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The PDF contains embedded URLs that lead to external resources, suggesting a phishing or credential harvesting attempt disguised as educational material. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a malicious document designed to trick users into accessing harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/9xivtwLAy4k/square?utm_term=comprehensive+physics+class+11+pdf+download
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f7163a17d7eb6abc1c0dfa/1626805818703/tadefisowekugig.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f222c92e59700d3e519570/1626481353963/wedabakijalawe.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f1079af8313f2e5964fcd7/1626408858989/40833478805.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f224f0ec23251fe3c177ff/1626481904259/a_walk_to_remember_free_online_movie.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f3f58181f38b20588d11aa/1626600833348/muscular_dystrophy_and_myasthenia_gravis.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f4610027519501fc1c6975/1626628352354/zewegatu.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60efdf5ae00eb31d7cec6535/1626333018177/95221179012.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e8ec98787dde1a90ab75eb/1625877657054/36259221982.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f729919373cc2dae9caa26/1626810769917/56198239957.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f1c74a05e25743cfd5a89f/1626457930537/largest_spider_in_oregon.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f369f5731d8c7c6ffe5152/1626565109184/jopinogagosikirasuw.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f2fca1731d8c7c6ff893c1/1626537121681/mama_might_be_better_off_dead.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f3af659ee5897bffa66c7e/1626582885244/gta_5_mod_version_download_for_android.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f05fad473e18288dc78cdf/1626365869516/xoxadajubutojure.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f4466d36db646251a8ebfe/1626621549925/44528892290.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f8a21e6c04540b0308cbed/1626907166406/eleanor_y_park_frases.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f724d75115b42b87563f4b/1626809559850/refeed_day_on_rest_day.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f6f273cd7c1f570b427f9d/1626796659608/wasibawuxoseronorarakav.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f773e8178cf0033c78435b/1626829800912/denys_out_of_africa.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f3f94d5f13a15bd824fa73/1626601805905/xolokawonixodikoga.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f4ef6dc4d0d61e674b2eba/1626664813890/88782808142.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3d3.bin
48bb09c4a90adf635758eeb505dc63d7e8065f114245dd26b38669d59c26fbdb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3D3 17060 bytes
font_01_sfnt_off00011081.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11081 16792 bytes
font_02_sfnt_off00012898.bin
085bd60f57cfad9ea5e5f106c9da28d59fdaa87d8c7b48ca506528b7459c6df5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12898 11136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.