Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e92fb8c9222cc80…

MALICIOUS

PDF

89.9 KB Created: 2021-07-22 00:15:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: f0870dd348dc46a35fdffdb13eef0fc1 SHA-1: c5f5e546a6fdfbd98eb0cd2e65d3074b19efa658 SHA-256: 6e92fb8c9222cc804e0ba0a2b82a0e7c3aab0f5e4c67f5c9abfec5d575b7ebb9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by ML classifiers and ClamAV as malicious. It contains an embedded URI that redirects to a suspicious URL, likely for phishing purposes. The PDF structure itself does not contain readable content, but the presence of the external URI is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/square?utm_term=ncert+class+9+science+chapter+4+question+answer
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f1d0df446b4143c45f14d0/1626460383929/79041103151.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f1c7f06352ca1074c5cf93/1626458096448/56304759551.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f5a7957c76346c2aa2bcd5/1626711957367/all_formula_of_differentiation.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ec7a0e12c1416d2f19cd96/1626110478187/oil_on_water_summary_chapter_1.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f507b170ff22042a190157/1626671025920/what_is_a_federal_stafford_loan.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f0675a11cad82123c56a69/1626367835127/50895980428.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f3e191c5d9e6782ce6ff5a/1626595730214/40399162669.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ede18d1f6a951228701f2b/1626202509314/conversion_chart_nm_to_ft_lbs.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f700862df4bc72821409d6/1626800262711/87477114160.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f2a95b6167905317d305fb/1626515803957/38719009074.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f30211ebca9b5ae8e7e8d8/1626538514023/cordyline_and_dogs.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f622ccbace2302b51736c3/1626743500163/38347131734.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e85e71b34e3e37de33a1d8/1625841265656/annals_of_endocrinology_and_metabolism_impact_factor.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60e9460af229ba2ea83812e6/1625900554141/gesegenaxi.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f88b2465c5f3259d74bf54/1626901285207/pacu_nurse_interview_questions_and_answers.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f56129c2d40e67ec22a312/1626693929953/show_offy_meaning.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f0365b8fff8309febc5902/1626355291379/radefabimiloribadegipew.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f6402a285ce460d19cde6d/1626751018414/how_many_chromosomes_in_prophase_1.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60eca3b290a3fc49531c4eaf/1626121138534/the_spring_solstice.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ee3342b27e5958d58e6d2a/1626223426671/6385851978.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e942af025aa46e30d3e821/1625899695643/74016693795.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa48.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA48 16792 bytes
font_01_sfnt_off0001125f.bin
5f8ad811373e695ee1fcaad9e05962914f0b9fb5262e42aeb236021f401f595f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1125F 11028 bytes
font_02_sfnt_off00012c0a.bin
38741dc4db88fb85010958294f5091172e2fc732c41715382540abb91923065f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C0A 17124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.