Malicious PDF — malware analysis report

Static analysis result for SHA-256 7965eb325ef4b8d4…

MALICIOUS

PDF

79.6 KB Created: 2021-07-16 01:40:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: f2fb14cc1719529da4ece62755994f47 SHA-1: 37c91d336cbeed1281e03ced90fedd98ccae2f03 SHA-256: 7965eb325ef4b8d40f0ceff97e907d6db79f21baa76e2707d0b276838113535a
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected by ClamAV as Pdf.Phishing.Trojan, indicating a phishing attempt. The presence of embedded URLs, although marked as benign, suggests an attempt to redirect users. The PDF structure and metadata indicate it was generated by wkhtmltopdf, which can be used to create malicious PDFs.

Machine Learning

  • Nyx PDF Classifier clean score 0.1658

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/-MXWpcYQ7kA/square?utm_term=combine+two+pdf+to+one
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e84afdabf7595fb54defd4/1625836285841/gitekazuxepan.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60f03874bae8d04216d89137/1626355828806/react_bootstrap_responsive_form.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d165.bin
d85f5c8ab765739b6fb5dd117abc8a94289188e111cfe8eb63c694c7f801790f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD165 19084 bytes
font_01_sfnt_off000101c4.bin
00a79d5ddef05e3adadbb04f8f0d62c4247b90d6208bd739314f9b0ff31631f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101C4 10440 bytes
font_02_sfnt_off00011944.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11944 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.