Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d1d6649a7f88344…

MALICIOUS

PDF

78.3 KB Created: 2021-07-16 23:09:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 945d31e534953fdf0b1e3635ab80cd7e SHA-1: 69a3cc34c4f72d44d9d548ef84c01b3e8fc18680 SHA-256: 2d1d6649a7f8834430ff40fab335a6f347314b9a5568ed10f42fc617a1706220
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for Pdf.Phishing.Trojan and an ML classifier indicating maliciousness. While the document body is heavily obfuscated and contains no readable text, the presence of embedded URLs and the overall detection profile suggest a phishing or malicious content delivery attempt. The file likely exploits PDF vulnerabilities or uses obfuscated scripts to achieve its malicious objective.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8028

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/W5vEtEh6t-A/square?utm_term=you+can+negotiate+anything+book+pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ee126adf3d323292cd44b7/1626215018407/wizem.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ec8f0b3631fd4ab816fe62/1626115851410/best_comp_for_tft.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e91d120cbdad4d3505a527/1625890066649/eukaryotic_cell_meaning_in_bengali.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ed9da1151a035e9e7bcef0/1626185121959/2174490063.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ec8bd9b8cbe518df58bcfc/1626115033770/soon_to_be_wifey.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf5a.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF5A 16792 bytes
font_01_sfnt_off0000e76c.bin
59546f00baef12d2dbe60d75d213969c3d0b2e9504f98f7a80a37aafe4d7b04b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE76C 16632 bytes
font_02_sfnt_off000112ad.bin
5c89b6279b118e49a3e6c537c1e06917e8d0a9ceaf405ecb4395754692a54c83		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112AD 11012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.