Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d5baaff699311d0…

MALICIOUS

PDF

79.5 KB Created: 2021-07-16 15:11:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 431b56f01dc4f67db52f2e0a26b0657f SHA-1: ebf9749a32a1e742dc503d323b0c025583990a4d SHA-256: 6d5baaff699311d04bbdc66415e66654b400ecb757b4059f47359de9362723a2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'infrive.ru', which is likely a malicious domain used for phishing or malware delivery. The document body is heavily obfuscated and appears to be generated by wkhtmltopdf, suggesting it's not a typical user-facing document but rather a container for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/square?utm_term=percy+jackson+sea+of+monsters+movie+download
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e8c2b23601b306b46fd409/1625866930096/spt_therapy_abbreviation.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60f073383576e9290f93f154/1626370872587/dr_boon_lim_cardiologist.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f0762878351f77a0767fb3/1626371624646/zenedas.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f0b0f68bcf896c91581d55/1626386678468/60937278137.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ee6660b82b30476862df01/1626236512136/69066289380.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ed49b066c2900cf55f54b7/1626163633087/30658948393.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f095311aa90865ae1107b3/1626379570158/dusenurekuveg.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e8e344e370ac632285ab9c/1625875268688/apple_french_toast_casserole.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ee822c115d504d3a8a43f0/1626243628066/52579724556.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ee38a42d09e34b72a00064/1626224804592/central_maxima_in_diffraction.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e9331b8ce0e10532d343fa/1625895707711/botany_questions_and_answers_download.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e79b2f7d3b385c94b223e9/1625791279338/xigetexurapamunojo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d4ab.bin
b5389774224395c8dcd26437a7e194d6d9f6c0195f3ef21e86b1fb7d36c99056		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4AB 11124 bytes
font_01_sfnt_off0000eeaf.bin
1b348a6de7bb38e8339fb271d308363547745c0856fc6d48e8814790c95444c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEEAF 16416 bytes
font_02_sfnt_off0001197f.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1197F 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.