Malicious PDF — malware analysis report

Static analysis result for SHA-256 23fe555778cd82d9…

MALICIOUS

PDF

79.9 KB Created: 2021-07-16 11:32:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: b8913e2967f81220b5a9b52aa42cfd1c SHA-1: 6fc210cdd1bb28df0208b38c4338f4aeb2db3374 SHA-256: 23fe555778cd82d98c648cdc42a8d1d80a420d3f6fd95d6baeff5e7179abadd0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or malware delivery attempt. The PDF contains embedded URLs, though the specific content of the document body is heavily obfuscated and unreadable. No scripts were extracted from this sample, limiting further analysis of its execution behavior.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6279

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/r_nBws6J8g8/square?utm_term=roosters+selly+oak
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60eddca08f209f4d8283d2b8/1626201248886/atomic_structure_iit_jee_questions.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e7d5e06d117d6eeca4217a/1625806304604/62281920794.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ee82f86d75c50a5d47b738/1626243833107/average_grip_strength_male.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ed97c1cd0cb17c762e35e3/1626183617356/a_velocity_time_graph_can_give_you.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d96d.bin
e09eb8d0a85ba4a80741edb8488e4384a579e49dee8b1241d45915f5040f42ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD96D 16320 bytes
font_01_sfnt_off000103d4.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103D4 16792 bytes
font_02_sfnt_off00011beb.bin
585bb0e9ff9a7df9bfcc52b06cdf2e18674d4b3771bb10790f5b8b778d84bafe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11BEB 10156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.