Malicious PDF — malware analysis report

Static analysis result for SHA-256 5220228a1ac9d58f…

MALICIOUS

PDF

82.7 KB Created: 2021-07-12 21:54:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: eefa84fd4f14f96a24b2d53426ab0e4e SHA-1: c3373d6b105aeb9f6cd837994554d8ed6f798edb SHA-256: 5220228a1ac9d58f68ff49b186eec0171cf4435c482ef1bd64186125d148c672
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier and ClamAV detection indicate this PDF is malicious. The embedded URLs, though many are marked benign, suggest an attempt to redirect the user to a malicious site or download a payload. The presence of PDF-specific heuristics further supports its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8298

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/4Ji06Fp1PxY/square?utm_term=climate+change+white+paper
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e7abe54d2175279d10f139/1625795557176/boylestad_introductory_circuit_analysis_12th_edition.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e81e7780504e0a776c67b5/1625824887753/jilonegerikaxubuxu.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e84636a956a31f0d61165d/1625835062774/lajabaxirusel.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ec8251dd2ac847ff7e8085/1626112593803/siwetinedisozupinifavum.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e82393ce8457037ee55c99/1625826195669/gta_5_file_for_ppsspp_download_android.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e30f.bin
f5cdc5addd9cd2e10bba2af8eaee20754cac6eba34d506ddf887aa221b4a1e89		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE30F 10652 bytes
font_01_sfnt_off0000fb48.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB48 16792 bytes
font_02_sfnt_off0001135a.bin
8e2f361e91bcb7377fbf2246e493e8defc43ab1accb05760a487f920b17cfc13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1135A 16768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.