PDF malware analysis — malicious · 158948f7f09fb8dc

MALICIOUS

PDF

76.4 KB Created: 2021-07-16 12:37:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 0314eb2b328c1367539e9f7711e97d3e SHA-1: 860c3838428478c3257e0126bf6b51a5c8731fe9 SHA-256: 158948f7f09fb8dca1f0e3cf1287b447aa6b88aecb563aafba08f0439bab2f86

136 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document employs a social engineering tactic, presenting a lure to install a browser extension or update to view its content. This is a common method for distributing malware or stealing credentials. While no scripts were directly extracted, the ML classifier and ClamAV detection strongly indicate malicious intent, likely involving exploitation or further payload delivery.

Machine Learning

Nyx PDF Classifier malicious score 0.7746

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE

Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/k6oGaauGqGM/square?utm_term=how+not+to+write+a+screenplay+pdf+download
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ec8c72bc6eee4b058ec226/1626115186564/fundamentals_of_data_structures_in_c.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ee33a0f6c772366d2d66c2/1626223520313/didujefijelonazusulifag.pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ec9009f4b4775d04a037b7/1626116105744/somers_town_estate.pdf
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f02df224fa75375d87313f/1626353138734/juremisapivupu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ca32.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCA32	16792 bytes
`font_01_sfnt_off0000e249.bin` `18ace8e229dafb43d752883b1af2717d0a8aa09167b34507b98dcc6482af5986`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE249	10804 bytes
`font_02_sfnt_off0000fb53.bin` `ca4b0cc010d9a0334ee84895a0daea9b95c4ec109dd7a9b6f72d2f7dd4a1ffc9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFB53	16376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.