Malicious PDF — malware analysis report

Static analysis result for SHA-256 6520da3a9419871a…

MALICIOUS

PDF

76.6 KB Created: 2021-07-14 02:14:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 06827213b0afe7dabc114f6529fd3c14 SHA-1: f80a52e8a56d9609bbcf7844a6993c5359a05154 SHA-256: 6520da3a9419871a8ed31cdf964f5b50b6a30fd0efebbf8607d2d6617214c719
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected by ClamAV as Pdf.Phishing.Trojan, indicating malicious intent. The PDF contains embedded URLs, one of which is associated with a boxing training topic, suggesting a potential lure. While the document body is heavily obfuscated, the presence of external URIs and the ClamAV signature strongly suggest this PDF is designed to exploit vulnerabilities or trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier clean score 0.2489

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/J-SxIuB37Ms/square?utm_term=boxing+training+skills+and+techniques+pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ecd7bf6be96a4ec4021808/1626134463942/types_of_elocution.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e7d96345e16b3be7e9acdd/1625807203209/lozowoxipufe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c62a.bin
187ce0a7550b1730faab42e7aabc1454d3cb46cc006c0c5c0261e5caf0e34fc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC62A 17564 bytes
font_01_sfnt_off0000f44c.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF44C 16792 bytes
font_02_sfnt_off00010c63.bin
945657b259ef2b53ceae7d3e9e5310d4da4cc0506ced63e16d769a116608b987		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C63 11392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.