Malicious PDF — malware analysis report

Static analysis result for SHA-256 10bdcdf21e12becd…

MALICIOUS

PDF

75.5 KB Created: 2021-07-16 21:00:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 5d2f30411aa2fd73ee9f56254c46cf43 SHA-1: 5ca2eb83b0591e7cf0b33b54f37a248b14853956 SHA-256: 10bdcdf21e12becdba14276f8962a4cd9788361eb2ea8ca67fa3050dada29d2d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded URLs, one of which is flagged as a potential phishing lure. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the presence of embedded URLs suggests an attempt to redirect the user to a malicious site, likely for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7483

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/0YvHz_IItD0/square?utm_term=maslow+theory+of+motivation+in+education
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e9449292abcc18c4f73733/1625900178183/email_english_2nd_edition.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f0a1bb0e564025fd723e2a/1626382779929/canyon_crest_academy.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ee01b1537dfa2004084ff5/1626210737871/ruvoligutiwupatiwososemin.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f017b2d052060b21f7e1dd/1626347443018/69473053163.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c87f.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC87F 16792 bytes
font_01_sfnt_off0000e091.bin
d56c82d877c9195b8ac9d88614b3948cc8a71f4a97b8e417387d8dadf216d393		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE091 15596 bytes
font_02_sfnt_off00010857.bin
120ac605ce81e4a480b63535b49a58a158187c38f4ed77c9e44d7331e24e2f3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10857 11100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.