Malicious PDF — malware analysis report

Static analysis result for SHA-256 2efcc8fcd73a8732…

MALICIOUS

PDF

76.3 KB Created: 2021-07-14 07:49:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 55b09fd4cfc6be631c61ce572d280d24 SHA-1: 49107ad0e895e4124fd6dae65d7d2bb4c970eca8 SHA-256: 2efcc8fcd73a8732723a457dff8881d5fb599df539da6b83c77e698f5f114469
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. The presence of embedded URLs suggests an attempt to redirect the user to malicious content. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing lure, likely delivered via email as an attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8791

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/UQ8tT55rDuk/square?utm_term=interview+questions+and+answers+in+software+testing
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ee1202e03b615e098ad314/1626214914838/the_village_by_the_sea_questions_and_answers.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e9294adb8bb141bad9af52/1625893195003/imao_meaning_text.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60eddf80a4137771ba023681/1626201984198/life_skills_group_activities.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e8d92a78606b4d18578b59/1625872682561/48855963499.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e920cdb67368755967cc09/1625891021865/simple_snake_game_in_c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000caa8.bin
3b71ea67878de76d18570c87bdc3cd395a669d767bfb46829449995bd73f09d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCAA8 16144 bytes
font_01_sfnt_off0000f454.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF454 16792 bytes
font_02_sfnt_off00010c6b.bin
91cafdedde5478f475209d3c469ecb754f610c072a6bec1ef2692b426daac668		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C6B 10832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.