Malicious PDF — malware analysis report

Static analysis result for SHA-256 2296e68a9ad6194b…

MALICIOUS

PDF

82.0 KB Created: 2021-07-13 09:45:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 63404efbab987cd2af5cbd457bbb01c3 SHA-1: 90b78406aa6f3da991557b39117304de6c36e09f SHA-256: 2296e68a9ad6194bc476def8ea1b7c2a0320b311b4c4cd779b5daff0e59e46d5
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected by ClamAV as Pdf.Phishing.Trojan, indicating a phishing attempt. It contains multiple embedded URLs, some of which are associated with the document's content, but the primary malicious intent is suggested by the ClamAV detection and the presence of external URIs. The PDF structure also shows duplicate object bodies, which can sometimes be used to obfuscate malicious content.

Machine Learning

  • Nyx PDF Classifier clean score 0.1542

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/eaN1Eb74jJI/square?utm_term=quotes+from+beowolf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60e838515c13cc4fedee8774/1625831506110/rutowili.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ecaccb8c19ad4998defaeb/1626123467756/79742983839.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd7f.bin
c1a53107849c4311e760fe15213f7ece27e1e5fa6542e504e8a32efdec8cf8dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD7F 10404 bytes
font_01_sfnt_off0000f54f.bin
9070aeb881888570882409d73049e763e0b443f56d4ca3ba7f0440807261b5e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF54F 18720 bytes
font_02_sfnt_off00012488.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12488 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.