Malicious PDF — malware analysis report

Static analysis result for SHA-256 440a08511a8add0a…

MALICIOUS

PDF

76.2 KB Created: 2021-07-18 06:53:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: f6b1ddf521cf33d55c7956b1d71e6374 SHA-1: 63bde6b0c980190c0393564f28ef50567057505d SHA-256: 440a08511a8add0a7c0e858e01b5d7f4e07fd990f3db29f7aa6d2dd66ba6d1b2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, despite some being marked as benign, suggests an attempt to redirect users to potentially harmful content. The PDF structure and embedded artifacts do not reveal specific scripting languages, but the overall context points towards a phishing or malware distribution vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9125

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/ZV5PD9BTPXI/square?utm_term=comma+after+prepositional+phrase
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f36ae2699a8678c57c65b6/1626565346810/biduzuxogojodule.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f342feec5ad00cc08f749b/1626555134794/93988407934.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f15d03b3a282695d353e05/1626430723437/49630402108.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60edecd70229956bd135c0a3/1626205399334/5569978730.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60edaeac1a2ce466740d87cc/1626189484307/prohibition_home_brewers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c90f.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC90F 16792 bytes
font_01_sfnt_off0000e126.bin
44d49dd646bca46a52b709c44674bbbc43173b8e946733776db97f83fe44401e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE126 10656 bytes
font_02_sfnt_off0000f956.bin
59f0570458c21b0f767dbd1e6478de00a1ef1797b76fe27547f19abcdae34b9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF956 17080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.