Malicious PDF — malware analysis report

Static analysis result for SHA-256 882e0e081603f52e…

MALICIOUS

PDF

76.2 KB Created: 2021-07-13 22:19:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: d530f7f8489fbc0f18d8197ee4ab9fe1 SHA-1: 2e670f73de51571dde4c396fb251489f7a4e4c2d SHA-256: 882e0e081603f52e8eff61b232aa511f4b223bcebff0e1f2cdae1cd431d74e5c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF document that contains an embedded URL pointing to a suspicious domain. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution. Although no scripts were explicitly extracted, the presence of an external URI and the overall malicious classification suggest an attempt to redirect the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8907

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/square?utm_term=how+to+do+a+fade+out+in+imovie
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ecac965338e9546e4b1306/1626123414303/west_point_missionary_baptist_church.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e937b12210ba6bce12e75f/1625896881595/chatrapathi_audio_songs_downloading.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ec905f58d864752e021377/1626116192058/putetunetigajanudikekiz.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec732c7e5cd11affcb753b/1626108716225/59841854657.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e85894e98ab22bd7d52694/1625839764988/11628130170.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e7c7957be683581ce1a929/1625802645771/waste_management_new_plymouth.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c81c.bin
2eac8ef91f0b607f6ef303e0d8947c6981a37175e7e8048f8b522c973f805859		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC81C 10444 bytes
font_01_sfnt_off0000dfc3.bin
1bc4821e0b9be6df99a82b1c6d06ccb7b906798cf3d805510f7558651f5c1518		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFC3 16732 bytes
font_02_sfnt_off00010b5a.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B5A 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.