Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c51bc9127866a13…

MALICIOUS

PDF

79.9 KB Created: 2021-07-19 13:16:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 8bb2bf052be41955debec56b5529ca85 SHA-1: 382d6c65cf0b7cf52564da97b7dfb1b598a0220d SHA-256: 2c51bc9127866a13a09bebcb54b7c877d32e987e92310752aed6209670378c4b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a phishing or trojan distribution attempt. It contains embedded URLs that likely serve as lures to external malicious content. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect the user to a compromised or malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5948

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/pL_UGxDroB4/square?utm_term=invisible+character+fortnite+username
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60eca2579a1cf201f807a67e/1626120791908/foto_anime_tokyo_ghoul.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ee18b3114e6b7b7de424c3/1626216627380/let_us_create_man_in_our_own_image.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f029330511021e70b731bc/1626351923515/hot_and_spicy_pot.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec9d8be0914637f38d65eb/1626119563420/wujazirivusufuto.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60eca37905183b3b57a072c3/1626121081930/30038783204.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc8c.bin
6b0f1247a9c1c0b9dc73b1e6f0beeb9d3c3f6e6eaff124135b9220b2360fc2ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC8C 16796 bytes
font_01_sfnt_off0000f87f.bin
83be73b9dbaa12454284d38225604251d9ba18bd676f550ec40e8b9b03866ef0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF87F 10856 bytes
font_02_sfnt_off0001115d.bin
e3a1ca7fbcde87b6e2bc585668cff1a50452d2a09c95c546c16e9f90aebd6500		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1115D 1636 bytes
font_03_sfnt_off0001192e.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1192E 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.