Malicious PDF — malware analysis report

Static analysis result for SHA-256 30d9ef1144d866a6…

MALICIOUS

PDF

74.2 KB Created: 2021-07-15 09:11:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 0b4fd5df502a4256dd525cc84b5b88f0 SHA-1: c0d0b0e5d1bf203a1303d38e0c6b41babbbe6b74 SHA-256: 30d9ef1144d866a69143292fb80edd44d0087aa3d2607fc6eaa8969b676da57d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by ClamAV as a phishing trojan and a machine learning classifier indicated a high probability of maliciousness. The embedded URL, disguised as a Philips home lighting catalogue, is a common lure for phishing attacks. Although no scripts were explicitly extracted, the PDF structure and the nature of the embedded URL suggest it is designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8872

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/X6hrLWyzjlw/square?utm_term=philips+home+lighting+catalogue+pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60efce97bba06d2f3416bbf1/1626328727835/arachne_story_questions_and_answers.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ecba36b5b6766af3e28f80/1626126902397/what_is_the_square_root_of_negative_20.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60edc13de83f616bcf7f8735/1626194237405/how_do_you_make_hooch_in_prison.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e94e9058c6623f0383b5a7/1625902736380/pugemebazeligebofe.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ec87365978cb5ccaab2929/1626113846439/kokoremo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c249.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC249 16792 bytes
font_01_sfnt_off0000da5b.bin
919dff6ffdc48fe3710960090a74ee38c357372bc666c2718cfd346a4acfbe0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA5B 16040 bytes
font_02_sfnt_off000103ab.bin
e03d866cd101bc30e03cb8099274c3f8347525a83b5b68945a44be6cc6b25cff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103AB 11068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.