PDF malware analysis — malicious · 21bfab9e51b206ab

MALICIOUS

PDF

83.4 KB Created: 2021-07-12 20:56:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: f7795ee33f10f84dab7c076fd55f67ee SHA-1: 1ea2b66cbfa5cb60b1b7102553854d214968be1d SHA-256: 21bfab9e51b206ababd9e3f5e715c82bd34f787c44feeeb39f9314ee5dfae2d6

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or malware delivery attempt. The presence of embedded URLs, though many are confirmed benign, suggests an attempt to lure users to external sites. The file's structure and metadata are consistent with malicious PDFs designed to exploit vulnerabilities or deliver further payloads.

Machine Learning

Nyx PDF Classifier malicious score 0.8981

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/v-xubMviL4Y/square?utm_term=stocking+fillers+for+students
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e87734ce4b197211de4c2e/1625847604529/2020_federal_income_tax_form_1040.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e94fb4b630645a0ef8b747/1625903028215/professional_sharepoint_2013_administration.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e92be48ce0e10532d30b49/1625893860743/14254043741.pdf
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e8e49a309bd63f3d82e49c/1625875610264/level_7_brain_out.pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e77174ec34f709ddbde594/1625780596969/the_family_tree_of_jesus_christ.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e9617ec22c005c933a88da/1625907582319/one_piece_stampede_english_dub.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60e8f22ccc7c08645924d6fc/1625879084166/flapjack_with_treacle.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e23c.bin` `59e7b58099f632271383fbc7bb2103eb70df100a1c051971ebea1d077fda33d4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE23C	10756 bytes
`font_01_sfnt_off0000fae3.bin` `964fdb790c8f658bbde820a0735d3446f453b7401ed56f932a1a574482e6f168`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFAE3	17368 bytes
`font_02_sfnt_off000127f9.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x127F9	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.