Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d4b42cce240e6a9…

MALICIOUS

PDF

83.3 KB Created: 2021-07-13 16:44:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 96d3450851509f556fab6f77964c72bc SHA-1: afcc1988521384fb07ad746f33699a52fa0ae3f7 SHA-256: 1d4b42cce240e6a96ec750c8931bb652c86c216ccc248ec68a738767a7811756
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected by ClamAV as a phishing trojan, indicating malicious intent. It contains embedded URLs that could be used to redirect users to malicious sites or download further payloads. The PDF structure and the presence of external URIs suggest an attempt to lure the user into clicking a link, a common tactic for phishing campaigns.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3485

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/4P1vZUbBa90/square?utm_term=how+old+is+shippo+from+inuyasha
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ec7a0e12c1416d2f19cd96/1626110478187/oil_on_water_summary_chapter_1.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ec860fa1f8f93f64ac0bff/1626113551170/burikixukuteworaxopewefez.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ec882ea1f8f93f64ac3f8c/1626114094181/daren.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ecbe837971f422f04c4947/1626128003112/convert_word_to_editable.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb0a.bin
daadc88bf56315fd37cc932381d908993c86da640e89f04112318955011942fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB0A 17356 bytes
font_01_sfnt_off0000f87d.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF87D 16792 bytes
font_02_sfnt_off0001108e.bin
bfc7ce51a1a9b37382af61f0075eb0cdb972126da031002d338643432d80e6e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1108E 16252 bytes
font_03_sfnt_off0001266f.bin
7f672603a02a09f3b40f78df1c7d53f0083a08e41a86343871e3ff554248ae97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1266F 10824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.