Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f18d716f94ffc66…

MALICIOUS

PDF

77.1 KB Created: 2021-07-14 01:58:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-25
MD5: 0478e4a33e8be159b900d1a4a8697d21 SHA-1: b8f427db6e6c5f087e99cf9ffe5b36c104fd1244 SHA-256: 7f18d716f94ffc66b0f8b1e72ec4fb943bf77eb7b7dd9d91f9471f7f6da9ff22
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ClamAV detection 'Pdf.Phishing.Trojan' strongly indicates malicious intent, likely for phishing or delivering a trojan. The presence of embedded URLs, although flagged as benign, suggests an attempt to redirect the user or download further malicious content. The PDF structure itself shows signs of manipulation with duplicate object bodies, which can be used to hide malicious code.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3002

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/gPkW7oTCsL0/square?utm_term=landscaping+topsoil+near+me PDF link annotation
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60edd2424ff81d3e2812b7e9/1626198594884/ssrs_interview_questions_for_experienced.pdfIn PDF document text
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e93cffb630645a0ef83892/1625898239967/73628615562.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c996.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC996 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000e1ad.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE1AD 10812 bytes
SHA-256: 6aaf458ac097d6b63d7e35905a45631ebac4ea61371621fd385085d80c9defc6
font_02_sfnt_off0000fa57.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA57 17048 bytes
SHA-256: 909b6c36b7a6ebeff64d6d8ab108075185f5a1c58cee5cd5108ac3ce18f265d2

Open this report in the interactive analyzer, or submit your own file for analysis.