Malicious PDF — malware analysis report

Static analysis result for SHA-256 4179385b4deb0ba4…

MALICIOUS

PDF

73.7 KB Created: 2021-07-19 21:24:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 81442acbc9fb1c62cad0c7ca4c18f933 SHA-1: cd18af860a1e7dfdff459f08ba56ee75a06a8e28 SHA-256: 4179385b4deb0ba4de55fe95450d6de644537f6997c99e4e44554569960a5e7b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a phishing attempt. The PDF contains embedded URLs that likely lead to further malicious content or phishing pages. Although no scripts were directly extracted, the PDF structure and embedded URLs suggest an attempt to trick the user into downloading or interacting with malicious content, aligning with spearphishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8028

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/NsX9ihectO0/square?utm_term=personality+type+questionnaire+pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ee75cb07d0587a37666de2/1626240459290/new_da_for_bank_employees.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f2e4231ad9bf1c32ae9a75/1626530851887/houses_with_2_stories.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f53c2329712869f07defc7/1626684451167/71925926214.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c066.bin
8fe2796e5fb5d7c1f4e4752677a5b725ed55419f08d29e69aabb8934fa75c0d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC066 10852 bytes
font_01_sfnt_off0000d966.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD966 16792 bytes
font_02_sfnt_off0000f178.bin
155dd0be30bea981e573ba965ce8eb8d726ac8465c32a3636d48aae3b8ce1f78		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF178 16004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.