Malicious PDF — malware analysis report

Static analysis result for SHA-256 618c5fa04dca7a37…

MALICIOUS

PDF

79.8 KB Created: 2021-07-17 19:06:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: bb520eb3ea0ebbccfad0f255822067fa SHA-1: 33884f14080b28f07a6df54387fc81223a80b37a SHA-256: 618c5fa04dca7a372bed36a258a803b3d1911d11d25ba587a2a5f4edf228c911
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected by ClamAV as Pdf.Phishing.Trojan. The presence of embedded URLs, although many are marked as benign, suggests an attempt to redirect the user. The PDF structure and embedded objects are consistent with a phishing lure, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3975

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/gOBB6uaVNRA/square?utm_term=value+of+x+in+a+parallelogram
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e93cffb630645a0ef83892/1625898239967/73628615562.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e906cf83ae0c490237fc8c/1625884367140/pazimojapurasogebexi.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ee6fcc7c5bce1f33501b17/1626238924412/2773631990.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bf1a.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF1A 16792 bytes
font_01_sfnt_off0000d72c.bin
cedd12c42fc48d23c75fc29758abd231b0c5afad8bf8fc2acf405f07453e8bc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD72C 17596 bytes
font_02_sfnt_off000105aa.bin
450eea5fc67953cc3bdc764260aa6f1739571c17331c9588074966c3dbef4c6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105AA 16088 bytes
font_03_sfnt_off00011ae0.bin
9e801adc2542caa81122f99e56861c7152e04b9833ff1a2588b12c93500e88e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11AE0 10608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.