Malicious PDF — malware analysis report

Static analysis result for SHA-256 6287ac6a876b13e3…

MALICIOUS

PDF

77.1 KB Created: 2021-07-12 21:48:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 12b453eb3505d6e2e2c370431e58b145 SHA-1: ec4e2b6b3cc74e6442826473084c1c172c2ad0de SHA-256: 6287ac6a876b13e3396708cfbfd2ad85fc6943b3534b835529733869164c46f9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by both ML classification and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, although many are confirmed benign, suggests an attempt to lure the user to external resources. The file's structure and detection by ClamAV as 'Pdf.Phishing.Trojan' point towards a phishing or trojan delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9001

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/RVI1sXQGPkU/square?utm_term=auto+rotate+pages+within+each+sheet
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e95697c91b61347ea52714/1625904791568/tuket.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e7df5d7e45264421f8dcf6/1625808733833/automatic_hyphenation_in_word.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e78c51ed7e6304395f61c3/1625787473504/1660706624.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e87b54586b0355f20875f2/1625848660357/37671215063.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ec7b76154eb17b6849292c/1626110838097/spill_it_meaning.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cce4.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCCE4 16792 bytes
font_01_sfnt_off0000e4f6.bin
0fa34cd9a8dc3b2a3874f37c483db4ce66da9156ab050eab0ab76f189e679428		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4F6 16364 bytes
font_02_sfnt_off00010fa4.bin
fd0bb91615dad2d57de60415f1e1a2cf5fba32a118dbb9864542a0a8f75e39a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FA4 10772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.