PDF malware analysis — malicious · 1a6f2669fdd2bcb3

MALICIOUS

PDF

77.7 KB Created: 2021-07-16 18:08:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: e5d155495bd86065dbc6e5196cba9e35 SHA-1: e9f2d797a4614927797de26cbece172ea614d26a SHA-256: 1a6f2669fdd2bcb34540974b75f9184e9ca087ae80edd62322ce627960669a5b

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file was identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. While no scripts were explicitly extracted, the presence of embedded URLs and the PDF structure suggest it may be used to lure users to malicious sites or download further payloads. The document body was unreadable, preventing a more specific analysis of the lure.

Machine Learning

Nyx PDF Classifier malicious score 0.9214

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/4Ji06Fp1PxY/square?utm_term=mayonnaise+is+made+up+of
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f16a9093f2b3003810e53d/1626434192632/romisi.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec80b1c3fb560d26f29c61/1626112177663/mobdro_not_working.pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ec868b950202184f10ee16/1626113676094/pebimiwu.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f0606e173e047f00a6313d/1626366062333/56489092570.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec7e9572e2584f2462be78/1626111637448/9356617456.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ec802020781e4bb11b86d3/1626112032634/the_general_unwanted_wife_novel.pdf
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60eda936cd0cb17c7630029c/1626188086697/xalamugowajotubijiparos.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000cfe9.bin` `8390b3a03c200d9f04c8e6a9a1f4ae11129539f60986589ee8d258dd6d18e8a3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCFE9	16520 bytes
`font_01_sfnt_off0000faba.bin` `134c12ccb30adeca3a81558e0c329e62e98f0fc6fae77856e72e88c0c5579075`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFABA	10620 bytes
`font_02_sfnt_off00011301.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11301	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.