Malicious PDF — malware analysis report

Static analysis result for SHA-256 91e85a36521dfc4d…

MALICIOUS

PDF

78.1 KB Created: 2021-07-16 05:36:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 9a82adf0f5d883a4d70cb245a4ce778f SHA-1: a56e8c61fb3d55e434a9a44d4b66f6911a6301ac SHA-256: 91e85a36521dfc4d772aafb28833bccbe529ee5d1ebbc33c348e252d74d3a583
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and an ML classifier, with a critical heuristic firing for ClamAV detection. An external URI pointing to 'laborke.ru' was extracted, which is suspicious. Although the document body is unreadable, the presence of an external URL and the malware detection suggest a phishing or malware delivery attempt, likely initiated via a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8287

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/square?utm_term=definition+of+forebearing
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f0a5bfc07ec5325bc78ef0/1626383807949/study_abroad_office.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ed363ef9a98d6db3aafebe/1626158654705/baby_shopping_list_for_first_time_moms.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e7b32351cb2a526cfa93e0/1625797411187/pujiz.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60f0aea5629a5a0ea0106ae2/1626386086196/84630005095.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ee1f530981f365859fed26/1626218323151/pepaseximon.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f07106529fbe08b0ab680d/1626370310944/80818911537.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d1b1.bin
b023d3ee89d99d26b805f130a7d130a2cd65b4a968d1e1b3f6c035391eb8a4f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD1B1 16696 bytes
font_01_sfnt_off0000fd28.bin
259fa1b630823b0d8318a4ae97da0a0d4462840894bc4b83d6b317919934b3e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD28 10316 bytes
font_02_sfnt_off00011492.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11492 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.