Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d42466d284592af…

MALICIOUS

PDF

91.0 KB Created: 2021-07-21 20:51:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 070fc3ca317970d0baa3f2a5fe8c6522 SHA-1: 77b761cc4f3c3d8d50e1971b84e06750e113e955 SHA-256: 1d42466d284592af06ce7eabc32a08ad085957e080aa0c931c5b294cba3c92f3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The presence of embedded URLs suggests an attempt to redirect users to external sites, which is a common tactic for phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and heuristic firings strongly suggest it's designed to exploit vulnerabilities or trick users into visiting malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/0YvHz_IItD0/square?utm_term=thermodynamics+bsc+2nd+year+notes
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60edccfb8443ee2c892e00da/1626197244058/sword_ring_ds3.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e93ea62f3c4128e18b400d/1625898662311/integrated_math_4_answers.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f2037f2347b801e9d9fa5d/1626473343486/early_mortgage_payoff_calculator.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e791cc1d61f435cef3a80b/1625788876986/defizuzosim.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f537269471b562af271a8e/1626683174566/58356770309.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ee53c82af4c01978fe5840/1626231752526/begage.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f336a8bb7e64222df75097/1626551976284/kavekag.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f61ad96f73c363a84ed204/1626741465586/static_website_and_dynamic_website_difference.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f23653deec581620238186/1626486355424/kamezur.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec84ca5f604029b991ac8f/1626113227172/what_is_form_8862_on_taxes.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ede1888e89d93564d53d0e/1626202504906/42076806612.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f0788cf3478d215ceb686d/1626372236712/full_wave_rectifier_with_capacitor_filter.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e925068ce0e10532d2d6bd/1625892102509/how_many_odd_numbers_are_there_in_100.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ee8f092d09e34b72a43b7f/1626246922183/baroque_music_today.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ee636bbb85ab7f02bf53ca/1626235755779/nearsighted_contact_lens_prescription.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f3ca76cba7b71501eb5269/1626589814277/what_is_direct_proportion_in_maths.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e7be95a431ed42d2fa7ad5/1625800341218/veweredutilogemeno.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e7af4f25441e1b3783b184/1625796431210/convert_encrypted_daisy_to.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e0d5.bin
ee6d8c25003eb2de61ee1fda640ec7b8e4605923364b71ee832b966c85f0f81c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0D5 1780 bytes
font_01_sfnt_off0000e938.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE938 16792 bytes
font_02_sfnt_off0001014f.bin
f5cba2b93bc901a05c399b937ec19a72aef48a7193dcaca974c155d334da8d37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1014F 10928 bytes
font_03_sfnt_off00011a86.bin
6c6cbde5be3d8fc75ce6d4c7cc1a29d0124bece6d6ddfd795f5971ddd569875c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A86 16848 bytes
font_04_sfnt_off000146af.bin
4a1f7d241d71f120329142ecd14eb72ef9707a13ea641da5e0d89a690b1f9c45		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146AF 16316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.