Malicious PDF — malware analysis report

Static analysis result for SHA-256 80e616a862f7fa35…

MALICIOUS

PDF

84.0 KB Created: 2021-07-23 02:16:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 7d03287309dafc88d019223de824546d SHA-1: 4d732456080c6e7a0541749401ac74eb89ff6fcc SHA-256: 80e616a862f7fa357e5d1b8c1d91c18eba5727400ae6bf8f9b80068a780ac60f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, even those initially flagged as benign, suggests a redirection mechanism common in phishing attacks. The PDF structure and heuristics point towards an attempt to exploit users through deceptive content or links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/iYdez4bKglI/square?utm_term=the+rise+of+the+prophetic+voice+pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f42e1a699a8678c583104e/1626615322722/33526713434.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f1d5d8525c7d2b6b3115f0/1626461656377/tukisapo.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f32f34e615ea111e67fdd6/1626550068724/electricity_solution_class_10.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60eff8c4c0b35f4fb3da96a3/1626339524805/meatball_mac_and_cheese.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f6e34ddd4cf416515ab3cf/1626792781768/excel_count_cells_that_are_not_blank.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f6659a285ce460d19ee6b1/1626760602659/chess_puzzle_knight.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e91f973ba7d954d54624ff/1625890711463/icd_10_anaplastic_large_cell_lymphoma.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f0e5da9b6f236119536044/1626400218899/bafek.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e91beb6e267257943aa7c5/1625889771184/38560234105.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f02e92177a4e2836d58ce1/1626353298697/fivetes.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f49620689a653fd2a54c04/1626641952778/tolukilokulinobadudem.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e95ea618245d33f183746c/1625906854560/the_institue_of_education.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f888ab3a8443071e2b1f90/1626900652124/ballet_and_tango_are_types_of.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f842bbbd6002733ac96be7/1626882748807/vovenotokamozi.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ede57ba0f2ca3483d2d10b/1626203515224/solub.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f9ed233e742756c9caeedf/1626991907574/topirugoxojaxewanele.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f6d8f5a50b8501ee2d6ce7/1626790133461/29148768137.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f58ea81434f635473f78e7/1626705577070/forojowusuxil.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f75a4cd437b318e4407f11/1626823244764/fable_3_pc_mods.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f45a4e9471b562af1b4433/1626626638433/mutual_inductance_between_two_loops.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e1e2.bin
d347472efdcb54beaeb1e7b368d5ade385df327b8d4ceeb6d7102c020fb86f7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE1E2 10432 bytes
font_01_sfnt_off0000f9b9.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9B9 16792 bytes
font_02_sfnt_off000111cb.bin
e69e77ebcdbdd2752b720e709a0c41a4a61d8703200c1a5b2c286d882b4cf141		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111CB 17576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.