Malicious PDF — malware analysis report

Static analysis result for SHA-256 2caf7d80f1144d67…

MALICIOUS

PDF

73.0 KB Created: 2021-07-16 21:57:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 92fabd35780f96347e4003d864b67434 SHA-1: 90368d6c100676b4d64713c0ed52581402dfb841 SHA-256: 2caf7d80f1144d67710f8a99fd51a0488774f54e973e6b870fae805df372c8df
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by a machine learning classifier and ClamAV as a phishing trojan. The presence of embedded URLs, despite some being marked as benign, suggests a potential phishing or malicious redirection attempt. The file's structure also indicates duplicate object bodies, which can be used to obfuscate malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8216

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/kVSxLQpkboc/square?utm_term=60+ft+lbs+to+in+lbs
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e8d1e7efa1bb2f50749784/1625870823175/dr_faustus_act_1_scene_3.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60eca1a345711547b6a933c5/1626120611463/wikikaju.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60edab88c8312e4ee1dfb2f8/1626188680609/humble_in_tamil.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60eda1f3e0c6fb60661436e9/1626186227367/kgf_chapter_2_watch_now.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f016b40dea5e4896be07b4/1626347188655/93303306178.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000be1d.bin
dc8b6054798238d5a7e1ff6c85b020fa0e3d0a2af8bdd5619571394d52adb0a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE1D 10148 bytes
font_01_sfnt_off0000d4da.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4DA 16792 bytes
font_02_sfnt_off0000ecec.bin
b531c9a0ef8bf4ad3cf82182a3533ef18fbcff1567ccbdff8ef1a1101e7fbebe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECEC 16724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.