Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f67912c612a8e0e…

MALICIOUS

PDF

211.3 KB Created: 2021-07-12 22:27:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 4170fb251015141c1c0ea774800a7c33 SHA-1: ceefb6f71909f59c04bc71be8d93a4a7c320340e SHA-256: 4f67912c612a8e0e3de67468d1bfb279febb7f8cf284a8dcfebbf21cda615293
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The ClamAV detection 'Pdf.Phishing.Trojan' strongly suggests malicious intent. The presence of embedded URLs, though marked as benign, indicates an attempt to link to external resources. The file's structure and the detection type point towards a phishing or trojan delivery mechanism within the PDF.

Machine Learning

  • Nyx PDF Classifier clean score 0.0904

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/iYdez4bKglI/square?utm_term=the+whole+marvel+timeline
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ec8ff3e7718717d762f424/1626116084016/19455626009.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ec9289704a383bbedaabae/1626116745366/the_legend_of_ba_qing.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec76a77e5cd11affcbd45a/1626109607419/indian_tonic_water_for_cramps.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ec8c531d0b393375519093/1626115155602/number_coloring_pages_for_toddlers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002c20b.bin
0417e0853dbe4cc8f2d7df5ab5686f96dcecf468b83bab4e96a44f74f8ad74bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C20B 8748 bytes
font_01_sfnt_off0002df5a.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2DF5A 16792 bytes
font_02_sfnt_off0002f771.bin
6310f8fc50c32af11ee1fdd39b628ffbe311acbe955dfd78f76328ca120e3393		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F771 10320 bytes
font_03_sfnt_off00030e87.bin
9d6829c8467135e94affcdd9acd7c43c64b5ca92d9f2ed5c4db1d7c47fd150cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30E87 19320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.