Malicious PDF — malware analysis report

Static analysis result for SHA-256 95e29221356c37bd…

MALICIOUS

PDF

81.5 KB Created: 2021-07-13 09:43:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: bccfbdedc78b329a4aa47d3200653359 SHA-1: 830adbc3f7c526c0319c9d3fd2c2ffc658fe7f10 SHA-256: 95e29221356c37bd1d1dcc39cb7b08bc22918b6bb8707a7b09327a94dcad1944
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by both ML classification and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, though marked as benign, suggests an attempt to lure users to external resources. The file's structure and detection by ClamAV as 'Pdf.Phishing.Trojan' point towards a phishing or trojan delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8298

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/-MXWpcYQ7kA/square?utm_term=tier+5+youth+mobility+visa
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e931a783ae0c490239a9ab/1625895335163/13199489172.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ec90619a1cf201f805b7ba/1626116193830/yearly_appraisal_meaning.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e9465d0a287971af9b1733/1625900637379/390346755.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e7db507e45264421f8b9e9/1625807696763/picanha_sous_vide_time.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ec8f299c874e714248938d/1626115881527/food_delivery_near_ne.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ddbb.bin
b068210672f0766323b822a50634f9810f67a1e568a8097faefc1f2b4fc1f9d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDBB 10788 bytes
font_01_sfnt_off0000f6b3.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6B3 16792 bytes
font_02_sfnt_off00010ec5.bin
6f7d36f00f7ff28617cc3f8272addfea1559e1c1fd47f4821578d82f70ea296a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EC5 16696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.