Malicious PDF — malware analysis report

Static analysis result for SHA-256 16f2216ec45b9750…

MALICIOUS

PDF

74.7 KB Created: 2021-07-20 11:58:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: c559bb52d3cf5ed00e06b8a6a1c4e247 SHA-1: aa5d3243084f9eabccab40920a7b3013b8a4e20a SHA-256: 16f2216ec45b97501985a4354d89bc9635f2e99e9fadc5974e692d586deda473
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF document identified as malicious by ClamAV and an ML classifier. It contains an embedded URL pointing to 'wastran.ru', which is flagged as suspicious. The document body is heavily obfuscated, but the presence of the external URI heuristic and the ClamAV detection strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6911

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wastran.ru/square?utm_term=code+roblox+all+star+tower+defense
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f25b79ebca9b5ae8e1f88d/1626495865937/18761981616.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f5202a04a1d97017b06fc7/1626677291152/pythagorean_triples_with_10.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60edf250c6126f45c3e4249d/1626206800687/mutual_funds_stock.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f1a1fe0a98f014ef6027c8/1626448382702/cher_and_elton.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c311.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC311 16792 bytes
font_01_sfnt_off0000db28.bin
9742130b49deee6cfad74d18e96f8406ec4aa44d915a6c041ae8cabd0d7c3059		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB28 10616 bytes
font_02_sfnt_off0000f3a3.bin
26680acf131bb8f66017cd40e19554b8a60f5f9a45c8983496bd32dc875a4586		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3A3 16104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.