Malicious PDF — malware analysis report

Static analysis result for SHA-256 893335229f5d2da0…

MALICIOUS

PDF

76.1 KB Created: 2021-07-13 16:15:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20
MD5: 91c7dd8864f3b95d9c339a1dc1e47515 SHA-1: 421a0153d45c1757b573a4c04e7f380e2cb20898 SHA-256: 893335229f5d2da06cbfa3fa2b9c0c64af9355a958bcc7159543a0f1c3a52f82
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file exhibits characteristics of malicious activity, including malformed streams and ML classifier flagging. The presence of an SEO redirector link, identified as a lure for free downloads, suggests a phishing or malware distribution attempt. Although no scripts were directly extracted, the ClamAV detection and heuristic firings indicate a malicious PDF, likely designed to trick users into downloading further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8972

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/eaN1Eb74jJI/square?utm_term=how+to+save+two+pages+of+a+pdf+separately PDF link annotation
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e94566c14ff043cd5e03f1/1625900390755/phenolphthalein_colour_change.pdfIn PDF document text
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e8999fc1e0ce526f75932a/1625856415492/figimanofuxivetafam.pdfIn PDF document text
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e92ed1e6a58043b6921b0a/1625894609151/96927983594.pdfIn PDF document text
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ed8fae39532c3941c26617/1626181550592/watch_the_croods_a_new_age_online_free_123.pdfIn PDF document text
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e8fc23566ded7d61ab5d77/1625881635409/find_the_value_of_x_and_y_in_each_triangle.pdfIn PDF document text
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e8f47219a9f87deb70e5cb/1625879666639/12023207116.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cba7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCBA7 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000e3b9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE3B9 15548 bytes
SHA-256: b5e41c05ca3d73876f5e06348b0bb6724b646346b06d1b850d6fdbebe9ab08c0
font_02_sfnt_off00010bb2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10BB2 10732 bytes
SHA-256: 5ea2c1c2b6e136273a98a19de6c6fcaa5b7b1eb2d14df9c7f3b20149fddf38ac