Malicious PDF — malware analysis report

Static analysis result for SHA-256 67864478df5bac38…

MALICIOUS

PDF

79.3 KB Created: 2021-07-14 01:57:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: d2e9f3c84571d2642d6c5a62af431d82 SHA-1: b41456ae5cab85913a771d97f90ac0dc2cd49e4b SHA-256: 67864478df5bac389159314ed0ef07068ae987572e47127f8605f62b12bf64d5
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected by ClamAV as 'Pdf.Phishing.Trojan', indicating malicious intent. The PDF contains embedded URIs, suggesting it may attempt to redirect the user to malicious sites or download further payloads. The presence of duplicate object bodies in the PDF structure is also a common characteristic of obfuscated malicious documents.

Machine Learning

  • Nyx PDF Classifier clean score 0.1234

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/cEZ-xJcQpFE/square?utm_term=level+88+of+wordscapes
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60e880a8dbc00a3535ad647a/1625850024291/cold_beet_salad_with_vinegar.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ee100f33d4654651b9d1ef/1626214415505/pususowovajezatig.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c0b5.bin
6d636ebcb28a43c11a0b96216d988d0aaa25e428b847d4e039b2a2a6b6e27b6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC0B5 16068 bytes
font_01_sfnt_off0000d5d5.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD5D5 16792 bytes
font_02_sfnt_off0000ede7.bin
9a19e32d8a4b909f456af6f0939a53011f36eb93e4fc8ef32bc5e6daf555cfbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDE7 16392 bytes
font_03_sfnt_off0001187a.bin
3d4218c9dd6a31d3a069e9756aa88b3a436c8450ec113c7243bbaa9f38553316		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1187A 10636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.