Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ed5974106f44d63…

MALICIOUS

PDF

151.4 KB Created: 2021-07-22 10:39:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 517fc875667fa0533b081f7c738d0a61 SHA-1: 4cacc0debf9b04aef6b9bb40335cadffb3f48f86 SHA-256: 1ed5974106f44d638e9ab994c16345ab43d31adfffe1be58e13b444185fef0f5
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of an embedded URI, coupled with the 'Urgency / deadline lure' heuristic, suggests the document is designed to trick the user into clicking a link that likely leads to a phishing site or a further stage of malware. No scripts were extracted, but the PDF structure itself is suspicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9752

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/um1bUVUAM38/square?utm_term=aesthetic+songs+roblox+id+2020
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f582a99471b562af2b41cb/1626702505681/17190392883.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60f11c1b2c92ee1ddddd8000/1626414108172/givosekezemitajen.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f5575a699a8678c5929f93/1626691419115/st_augustines_parkland_anglican_church.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e936f5b9b95949b65f72d4/1625896693255/diary_of_a_madman_and_other_stories_lu_xun.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e908b4b132fa362072754f/1625884852404/nejadelirerefazafuw.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f47014db752c5e49b72981/1626632212209/sawasovodumugidolawot.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ec944de7718717d763699b/1626117197373/nutomuwabipa.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60eded4d8f209f4d828589d7/1626205517613/68642505440.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f610982e93dc7e95b1c586/1626738840972/73035641381.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f4ecc5c5d9e6782cf45ef0/1626664133607/63955704243.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e87f9a5dccc23d9866c2f1/1625849754447/informal_letter_writing_topics_for_class_4.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f62d403ca5073dfd611353/1626746176967/gafazazorizetubijipumo.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f3ab58731d8c7c6f01269b/1626581848956/70556837222.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60f0fd6d44f13e0787b08beb/1626406254030/the_marine_3_full_movie_download.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f2c593e615ea111e62faa8/1626523027297/create_tv_cooking_shows_list.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f00a106611482e0a914c96/1626343952404/vogesabukinagidovoda.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f8b853d214234a65e58f50/1626912851527/why_is_energy_important_to_humans.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e776491bd7543d7b5bde45/1625781833172/54380876259.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f845e0a6affb243f0d8be7/1626883552956/another_word_for_not_well_known.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60effcafbba06d2f341885cf/1626340528040/nivikagir.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f3627e1db272198f9858dd/1626563198981/monthly_finances_excel_template.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e89fb1aea6c4457b8be278/1625857969878/malang_full_movie_free_download_mp4_filmywap.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001aa5c.bin
3c269ad366760690a0bd830ce771bc295c569cee03163e3b03d8f7f3e6a94e77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AA5C 18820 bytes
font_01_sfnt_off0001c7e7.bin
edb78ca23ddf353d4ac1e52f1595011ecf080c898bc949f12bea0e4d3f3530b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C7E7 21952 bytes
font_02_sfnt_off000202db.bin
0ef8680123320fdbdcd46e4f7f4aac5bc539a4aca1d0678330c794157112f1e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x202DB 4928 bytes
font_03_sfnt_off00021544.bin
7c10ccc6d58fbdd0cb2221e12f361e4c6cbfdc26f1098d524d97628151b66c5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21544 10952 bytes
font_04_sfnt_off00022e42.bin
e24254b6df17fa76a9603abc0f648e8aa0231b5354f05e54c4d3a14cafded851		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22E42 1012 bytes
font_05_sfnt_off00023595.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23595 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.