PDF malware analysis — malicious · 34cd1635198c4b2a

MALICIOUS

PDF

123.6 KB Created: 2021-07-13 09:12:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: c8b7bbc3e070af300fdd8c9778d6d26b SHA-1: bfb39a32250426c538d13e308ab5d561302bd802 SHA-256: 34cd1635198c4b2a706658dc6e02269f39ccfa0f2c9c58514970a5571adccfa2

66 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected by ClamAV as a phishing trojan, indicating malicious intent. It contains embedded URLs that likely serve as lures or redirect to malicious sites. The PDF structure and embedded objects suggest it's designed to exploit vulnerabilities or trick users into downloading further payloads.

Machine Learning

Nyx PDF Classifier suspicious score 0.4686

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/5Aj-mlxkUx8/square?utm_term=design+the+packaging+of+your+product+following+the+guidelines+in+designing+packaging
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ec9c269cb57f380a79d934/1626119206729/air_force_gd_topic_2020.pdf
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e8d6fee2705b436309ba28/1625872126816/22679802565.pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e7a13d1d61f435cef4bb3b/1625792830092/watch_notebook_bollywood.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60e91f080a287971af99e14d/1625890569041/3705948351.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00017f6e.bin` `e5d0be04f6da9d6cd4de19edeba6cb24c526a1bec5bc0bf0cab9225ad08e6865`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17F6E	11292 bytes
`font_01_sfnt_off000199ce.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x199CE	16792 bytes
`font_02_sfnt_off0001b1e0.bin` `a8cbe2d05c9bc58469c911ffdee5a6c2072b2c2c2bef17fdfc19f8b9d54ec9c2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1B1E0	18364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.