Malicious PDF — malware analysis report

Static analysis result for SHA-256 4534e11159b9623c…

MALICIOUS

PDF

131.6 KB Created: 2021-07-19 05:13:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: a16a8cda0a80cf2169f377c4fa27b0ae SHA-1: 13639ac4d14ed344dd7f0a811b7ebec67d37f578 SHA-256: 4534e11159b9623c8168817a87d92771c04f1c5839691860d7f59fd2ab457db3
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Pdf.Phishing.Trojan'. It contains embedded URLs, one of which is flagged as potentially malicious, suggesting a phishing attempt. The PDF structure itself is also noted for duplicate object bodies, which can be used to obfuscate malicious content. No scripts were extracted, but the presence of embedded URLs and the ClamAV detection strongly indicate a phishing or credential harvesting scheme.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4152

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/ZFaGRQ6RLlg/square?utm_term=stowe+reporter+police+blotter
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f38c62b84a576e6c032220/1626573922909/67783121507.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e8073e69e16759cf775cf9/1625818942440/tunnel_theory_of_alpha_decay.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f013957fedc2490c0b37ec/1626346389133/physical_science_powerpoints_and_guided_notes.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ecb5a66de3926792abc331/1626125734078/activity_1.2_3_electrical_circuits_simulation.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001a725.bin
c74ee55c817fca3737f0ad0becd810261214b2931d38d92c282dae3de925ad70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A725 16444 bytes
font_01_sfnt_off0001d1d9.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D1D9 16792 bytes
font_02_sfnt_off0001e9f0.bin
8aec8ba381c484990fda6c626b617930488cfe0c204c82e2b39c81ef7f0c60ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E9F0 10232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.