Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c2934d8352ce9da…

MALICIOUS

PDF

88.1 KB Created: 2021-07-18 23:49:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: b63c0530e75537d307b446d2edd46b5f SHA-1: 2d777f2e63ba938b9a409262ea14989d3f0764d6 SHA-256: 2c2934d8352ce9da7bb7cc12002a7600daf684a0728628b60bdb2641de9b1a30
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV and an ML classifier, indicating a phishing attempt. The presence of embedded URLs suggests the PDF is intended to redirect users to external sites, likely for credential harvesting or further malware delivery. No scripts were extracted from this sample, but the PDF structure and embedded URLs are strong indicators of a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8172

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/-MXWpcYQ7kA/square?utm_term=lindsay+lohan+is+in+the+news
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e8c7fe3e172817b39c990e/1625868286976/kezeza.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60f0a151dae0cb3903e46e2a/1626382673875/anaphylaxis_gastrointestinal_symptoms.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e932236e267257943b6967/1625895459723/64738766151.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f207d28180ae5a354ef2bb/1626474450385/final_exam_for_economics_with_answers.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ecabca1996685841ac8d0e/1626123210179/rikokinekavilibifub.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f704.bin
a81faaf200f282fa314fd8bdc4dcc47f60636d548ceedf138420d933c4148787		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF704 10400 bytes
font_01_sfnt_off00010e85.bin
f8f92c69188202eb3a94e657299d1e4a9da113662be7c8c5455c5ea9be9f42aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E85 17692 bytes
font_02_sfnt_off00013c8c.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13C8C 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.