Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e235bef78ceb03c…

MALICIOUS

PDF

82.3 KB Created: 2021-07-15 10:06:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: e945a74fc103bb6551069b7a3479856a SHA-1: b7e4efdc5b00b3742c636d788d992ff9877433d1 SHA-256: 5e235bef78ceb03c0b25ab2df302e9bd7736e5d6e2b9e700a59a8aede87be31a
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The ClamAV heuristic identified this PDF as a phishing trojan. While most extracted URLs are confirmed benign, the presence of an external URI heuristic and the ClamAV detection strongly suggest malicious intent. The file's structure and embedded content, though obfuscated, are consistent with exploit delivery mechanisms.

Machine Learning

  • Nyx PDF Classifier clean score 0.1542

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/NsX9ihectO0/square?utm_term=battery+manufacturing+plant+project+report+pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e941170cbdad4d3506cff2/1625899287673/nature_on_display_in_american_zoos_reading_answer.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60efdcf70d8d0805bdb3ef46/1626332407539/how_to_save_illustrator_to_png.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de50.bin
cd6add751d5c4f4a191e81da4432ec2f994892c1d83b84cf219910657c62899a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE50 17164 bytes
font_01_sfnt_off00010b40.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B40 16792 bytes
font_02_sfnt_off00012357.bin
fa2138144fde3f0a475292a41e50146e99cc6aba21a688133da08b7150d86263		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12357 11192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.