Malicious PDF — malware analysis report

Static analysis result for SHA-256 8246c64a98152827…

MALICIOUS

PDF

74.4 KB Created: 2021-07-15 20:10:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: a404b8f8c61d1fd1dac377fa05919c52 SHA-1: cf388444c23eb425f8852fe68ba6ed0ae96bae62 SHA-256: 8246c64a98152827752e03e56e85b42e66c2b6d57970b51254c256ade26c42dd
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a 'Pdf.Phishing.Trojan' signature, indicating a phishing attempt. The presence of embedded URLs, though marked as benign, suggests an attempt to redirect the user to malicious content. The PDF structure itself contains duplicate objects, which can be a technique used to evade detection or embed malicious content.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2592

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/kVSxLQpkboc/square?utm_term=most+expensive+warframe+prime
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ed8f4aaf5561712127b41a/1626181450456/63901316994.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e815a19ebc0053f318d41d/1625822625171/the_day_after_tomorrow_free_full_movie_online.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c544.bin
67fbcceff9906fc07bbbfb692212c7d2593c19c3b153a9b7fcc4b62d93be7a0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC544 15544 bytes
font_01_sfnt_off0000ed08.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED08 16792 bytes
font_02_sfnt_off0001051f.bin
2857b48238dad2144e5efcc689938d83bcce72ccca08c3814da2ab30d144f0c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1051F 10720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.