Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c00df0ba8b566e0…

MALICIOUS

PDF

84.8 KB Created: 2021-07-21 19:01:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: fd9cabd3d7dd4df49789c5da16045050 SHA-1: 756b4255778bd5c4661a4591c23cf949cb8db62c SHA-256: 5c00df0ba8b566e0dd32338e9ffe0680f86e3b7a5b33b7e4671473bb645eddc5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier and ClamAV detection strongly indicate this PDF is malicious. The embedded URLs, though many are marked benign, suggest a phishing or credential harvesting attempt. The PDF structure and heuristics point to exploitation of PDF vulnerabilities, likely to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/-7-cX3opz_8/square?utm_term=having+a+pacemaker
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec7e39d0153e73bf8b3bf5/1626111545124/72997734879.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e7c666f4d7c53d8b124da4/1625802342437/gewijetorapusumedoz.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ee0afa84a0477e84a77d44/1626213114596/10179682065.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60eddb30d6548a387fd2bfd0/1626200880410/one_of_the_subject_verb_agreement.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f3400626c2747482dec835/1626554374229/new_testament_names_male.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ee69420b33b63bb8c8b8b9/1626237250643/zerazagapu.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f1716ae75c7a046d9f9448/1626435946455/historical_research_design_definition.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f2b828e615ea111e6294c9/1626519593084/xirorinajitupopikat.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60eff6b8fdf15601434a0961/1626339000819/donopuxipudiwesot.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f67231a22c811cd228dab2/1626763825698/different_types_of_intangible_assets.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f5ceec08ddf246b9f14bf6/1626722028942/13484297367.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f58bb0731d8c7c6f180f7c/1626704817060/sedugowibosodejen.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f610f2357ac31622280ae7/1626738930739/our_simple_life.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60eda22846a7611a87cfe318/1626186280782/fazup.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e89286b14d1431991a6066/1625854599130/the_list_of_books.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f54d2e23bf9c1bcafdebd6/1626688814993/convert_auto_to_manual.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f2841fc4d0d61e672f73ad/1626506271454/jamowawolobemapivijixu.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60efd9ebd9659e2786448278/1626331627312/82383192397.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f25d378c10a93e50436b81/1626496311437/92398970040.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f0e3cd4be5f74a98dcf5c7/1626399693755/c_is_for_cookie_coloring_page.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f6cb04f175431ff0d245f3/1626786565110/another_word_for_window_blinds.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec81a254a52c186ce4c6d6/1626112418689/87083882723.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eaea.bin
0b14e36f2656fce470e4ec63f4c3dc1c39883f21bdaa5fa024aa78933a10958c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAEA 16512 bytes
font_01_sfnt_off000115a5.bin
ede425621e8589aab5d4a24f9914636a02b0f623a33988cbd41399d78935d688		 pdf-font-stream PDF embedded font (sfnt) at offset 0x115A5 10436 bytes
font_02_sfnt_off00012d3c.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D3C 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.