Malicious PDF — malware analysis report

Static analysis result for SHA-256 4847847433bf4f2c…

MALICIOUS

PDF

76.1 KB Created: 2021-07-17 14:09:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: f3493f06559fb53de2f73738b1a420d9 SHA-1: e787491c1f8968e3367cf579871c6f40605b1b06 SHA-256: 4847847433bf4f2ce9c7e2351be4d6b756e389543e395993cd808a0d27f44f40
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF file flagged by ML classifiers and ClamAV as malicious. It contains an embedded URL that, despite being labeled as benign in the provided context, is part of the attack pattern. The PDF structure and heuristics suggest an attempt to redirect the user to external content, likely for phishing or malware delivery. No scripts were extracted, limiting the analysis of specific execution methods.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7788

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/NsX9ihectO0/square?utm_term=harry+potter+watch+online+with+english+subtitles
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f0f0ad06e5cb5c826215c7/1626402990142/wotox.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ee42d8f6c772366d2e8376/1626227416469/nmap_scan_connected_devices.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f08271e8e6bb0d49241788/1626374769532/fesesakuregixu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c77f.bin
564740d528235a1df023a2d1358f826bde1da66b2de1d9aa124e457a4ce09a47		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC77F 11084 bytes
font_01_sfnt_off0000e113.bin
b3318e99156c16fe697269afbe025a0afe1476fcbb492497de23e176987122fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE113 16540 bytes
font_02_sfnt_off00010c21.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C21 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.