Malicious PDF — malware analysis report

Static analysis result for SHA-256 88005256f2a5166a…

MALICIOUS

PDF

112.6 KB Created: 2021-07-14 06:10:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 48610a6d61b995e736f92bc584e9ab5f SHA-1: 40d9d3ed49e6c0b79426a344544847d495049fc3 SHA-256: 88005256f2a5166aebf6079ce03d4f7892f56efdf717d761bab41344143f33d2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by both ClamAV and an ML classifier. The presence of embedded URLs, though many are marked as benign, suggests an attempt to direct the user to malicious content. The file's structure and heuristic firings indicate it is designed to exploit vulnerabilities or deliver a phishing payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/iXsW93xxTQA/square?utm_term=the+jetsons+1985
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ec86c5f89f8e700bf7ba34/1626113733419/township_mod_apk_unlimited_money_and_coin.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ec922bf83a7f26ecd1bf57/1626116651848/beledetovebogerulodor.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ecd920fc46f1629afd7aa8/1626134816693/pulmonary_edema_can_be_caused_by.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e915c20a287971af998c0f/1625888194240/how_to_put_text_boxes_on_a.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e76d5280ff2057504543a1/1625779538563/1_kw_equal_to_hp.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60edc3337ce58f02ed90efbb/1626194739972/how_to_get_flat_tummy_naturally_at_home.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e8df045fa2eb14b908281f/1625874180438/91387881313.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60edfa03e7c05a535259e047/1626208771676/gem_therapy_in_vedic_astrology.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ee0c0a2d09e34b729c63ee/1626213386821/how_do_you_teleport_someone_in_minecraft.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ee26e827fa864c7d101949/1626220264524/a_lesson_before_dying_discussion_questions_answer_key.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ee08cd9b1e4d6a3608e556/1626212557583/89483504976.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015606.bin
8dfe32f0bef105cbd8ccf0f94ed4f7ceb93b4194c72716e1fe456c27389b28d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15606 10460 bytes
font_01_sfnt_off00016ddb.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16DDB 16792 bytes
font_02_sfnt_off000185ed.bin
3cc2c864bb4559e17c7a8dfa549d3243cd2e84c3dd60796fd510b5af58f64354		 pdf-font-stream PDF embedded font (sfnt) at offset 0x185ED 18332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.