Malicious PDF — malware analysis report

Static analysis result for SHA-256 73af7f734ebe7ec2…

MALICIOUS

PDF

88.6 KB Created: 2021-07-17 09:46:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 2d0b90d91c2b267fc8223775908d61cb SHA-1: 642be8421c17c3c53b22516ea16dfc71c40768ff SHA-256: 73af7f734ebe7ec25fe7a89feb000a27e6f3d9b8ba22420f8c72f1f0ee0ca38c
106 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a signature indicating a phishing trojan. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' strongly suggests the document is designed to trick users into providing a password for an archive, a common tactic to evade gateway security. While no scripts were explicitly extracted, the PDF structure and embedded URLs indicate potential for malicious content delivery, possibly via JavaScript, which is common in PDF exploits.

Machine Learning

  • Nyx PDF Classifier clean score 0.1448

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/-MXWpcYQ7kA/square?utm_term=holt+elements+of+literature+answers
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60e93236c91b61347ea444ac/1625895478161/wefid.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ec85d7760c9e2bcf433221/1626113495794/44811675037.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f7ad.bin
e0302054395bf5fd73ab7db3071740c852a4ddc102b5783dcf5e4a5df68d4709		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7AD 10552 bytes
font_01_sfnt_off00010fc2.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FC2 16792 bytes
font_02_sfnt_off000127d4.bin
ccc19f139cafb91ddf17988d143456cde08dfd0d0011f9f0d73e574b6b78b934		 pdf-font-stream PDF embedded font (sfnt) at offset 0x127D4 17724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.