Malicious PDF — malware analysis report

Static analysis result for SHA-256 287150ee92a839d0…

MALICIOUS

PDF

116.8 KB Created: 2021-07-15 16:19:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 114c771e589c90266a7e520194c9b9ca SHA-1: 20a2ad6b5fcb1b37b87b13bd184d42d0c49ccee2 SHA-256: 287150ee92a839d0f474ea3e46bcb403e6d2240b8fe191461d9a84a75680446d
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ClamAV heuristic identified this PDF as 'Pdf.Phishing.Trojan', indicating a malicious intent. The presence of embedded URLs, though many are marked benign, suggests an attempt to redirect the user to potentially harmful external content. The file's structure also shows duplicate object bodies, a common tactic in obfuscating malicious content within PDFs.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3083

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/4aHNpQc2m6I/square?utm_term=smash+brothers+ultimate+characters
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ee3f65b1f8b9564885e0fd/1626226533241/suvakukepigelefixolexom.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ecaa757725086813707e45/1626122869231/pdf_explained_download.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60edee15e55429721e22d3e4/1626205718037/crabs_lobsters_and_shrimp_are_all_classified_as.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015ac0.bin
9a0daf7c98be59bd45d1cdc53e7a7b82731a41a7def25ee91c5857c4a9430731		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15AC0 3208 bytes
font_01_sfnt_off0001679a.bin
bd0e4179db2b04adf8da5ff632953b16a2481d8107bfa3db0f27ee0e14352231		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1679A 10708 bytes
font_02_sfnt_off0001802b.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1802B 16792 bytes
font_03_sfnt_off0001983d.bin
b5cef31480551ad20f28940f8b05a830b166b9e4446e95e01c7c17fd7c96f2c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1983D 17744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.