PDF malware analysis — malicious · 35d383fb53f95b8d

MALICIOUS

PDF

78.9 KB Created: 2021-07-12 22:40:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: de999533d09f76cfec1409cec0555654 SHA-1: e7c06c838f06804835bcc8c153bc472d8c09425e SHA-256: 35d383fb53f95b8d9091e962c175638d4f4b8d923b32dafb063b2c8723282cfc

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI that directs users to a URL which appears to be a lure for a game puzzle, likely intended to trick users into clicking and potentially leading to credential harvesting or further malware delivery. No scripts were extracted, but the presence of an external URI and the phishing detection strongly suggest a social engineering attack.

Machine Learning

Nyx PDF Classifier malicious score 0.9511

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/eaN1Eb74jJI/square?utm_term=hero+wars+puzzle+game+only
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e8d1dd00b83d0a108858bb/1625870813644/how_many_years_does_a_chicken_live.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e8eb208fb24157da6d8f4e/1625877280658/hurdle_rate_meaning.pdf
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e9407e320dbd0de2820d69/1625899134841/mole_mapping_procedure.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ec7dd5e64ce5371634428e/1626111445524/morusaxisalijepem.pdf
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ec711a12c1416d2f18ca13/1626108187071/papofulobe.pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ec91d6bcf8be39b5066a69/1626116566424/fahrenheit_451_book_256_pages.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ec8679700aa07a78953c85/1626113657396/benz_research_and_development.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e9265337cb9044756027fc/1625892435889/34337884765.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d493.bin` `5df85ecf4cd48f4d6136db8eabe3264f7f0db94dd01f235a1c1a55964889bc15`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD493	16380 bytes
`font_01_sfnt_off0000fee0.bin` `9316197b596c8db00cfeb5026a8a05e9b4431ece5fdc08df8cd774381b37d194`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFEE0	10756 bytes
`font_02_sfnt_off000117b0.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x117B0	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.