Malicious PDF — malware analysis report

Static analysis result for SHA-256 2582e92ab95ec6cd…

MALICIOUS

PDF

77.0 KB Created: 2021-07-15 21:22:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: ade77b04f1b0245cb0f8cece94da8295 SHA-1: 405d616a52766fe5dc7051a80f68546ba0547e05 SHA-256: 2582e92ab95ec6cdaa48a9e1a100d59c7d46f9b896a95fb6af835bc1abb637fd
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded URL that points to a suspicious domain, flagged by heuristics as potentially malicious and part of a phishing attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were directly extracted, the PDF structure and embedded URI suggest it's designed to redirect users to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9001

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/square?utm_term=lost+car+tabs+washington+state
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60efcb191a40e718904fc3e5/1626327833926/40922639625.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ee1a8b115d504d3a838d02/1626217099515/formation_of_terrestrial_and_jovian_planets.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ee025d8e89d93564d8d947/1626210909541/73341664425.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e86f27574275143a08e984/1625845543697/what_kind_of_cheese_is_made_backwards_riddle.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ecfd48e255175820bba99c/1626144072594/the_book_of_2nd_corinthians.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ccd2.bin
8f1f3721640e91d630d4d374e0f862a8006338d790c18e61e062165723b84c12		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCCD2 10648 bytes
font_01_sfnt_off0000e54b.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE54B 16792 bytes
font_02_sfnt_off0000fd5d.bin
0d465e14c8b9f1fbbd381f09c0b0fe3274a22edc8d8fb314f25fef4ec05a9950		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD5D 16468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.