PDF malware analysis — malicious · 2630ddffcfea160c

MALICIOUS

PDF

85.4 KB Created: 2021-07-18 01:13:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 136e336204c58e7254e1a997410c87fa SHA-1: 263a23216112e7c13fc5bf66f2092687b71761cb SHA-256: 2630ddffcfea160ca24580c16ba70c6526a7d6f3211c9ede0b57342da12ca03b

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The sample is a PDF document that has been flagged by ClamAV as a phishing trojan. Heuristics indicate it contains external URIs and attempts to lure the user into revealing sensitive recovery secrets or private keys. While no scripts were explicitly extracted, the PDF structure and ML classification suggest malicious intent, likely related to phishing or credential harvesting.

Machine Learning

Nyx PDF Classifier malicious score 0.5817

Heuristics 5

Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE

Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/jEScUJLm1bs/square?utm_term=introduction+to+cybersecurity+2.1+chapter+1+quiz+answers
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e76a01de99cf29ad213944/1625778689405/muscle_and_a_shovel_heresy.pdf
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f3283927519501fc0fb11a/1626548281562/88784093324.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f34ead731d8c7c6ffd07fd/1626558125819/ford_puma_owners_manual.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e93da18fb24157da710792/1625898401313/21655028643.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e901.bin` `3a370c4b5a2f23b6c59ff1663655c4e2119ad8f9b965b01fb3eabf3957e52e1e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE901	11400 bytes
`font_01_sfnt_off000103a7.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x103A7	16792 bytes
`font_02_sfnt_off00011bb9.bin` `37d7bb4c35f3dc6aca2895f27b581b8fe35188a37bdba6a98c31cac0f1964f1e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11BB9	17532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.