PDF malware analysis — malicious · 9afcbfa1540d02f4

MALICIOUS

PDF

82.1 KB Created: 2021-07-12 20:08:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-25

MD5: 50ef768753233bfb1c6b8d4948d8bd08 SHA-1: 5f8d2870aa3d7a61eddebc6934c8d0d2d8f285b3 SHA-256: 9afcbfa1540d02f488edf87fdc10afba90e44eeb215a25fcbb0c5e5d1a11961d

66 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected by ClamAV as a phishing trojan, indicating malicious intent. The PDF contains multiple embedded URLs, some of which point to external resources. While the document body is heavily obfuscated and unreadable, the presence of external URIs and the ClamAV signature suggest the file is designed to lure users into malicious sites or download further payloads.

Machine Learning

Nyx PDF Classifier suspicious score 0.3811

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/qI_NY8u86tA/square?utm_term=chinese+brutalism+today PDF link annotation
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e93c1a025aa46e30d3b03a/1625898011028/gigizofosepugu.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ec77077e2b6271615a2c53/1626109703473/business_policy_and_strategic_management.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e94ef3c22c005c933a1666/1625902835412/luwuzeduzuvatifek.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d062.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD062	10900 bytes
SHA-256: `d0e652475eab6efccbbb3ed62b00bc7b7c7c3a781a4e137280074fae20d638e9`
`font_01_sfnt_off0000e96c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE96C	2552 bytes
SHA-256: `b2092eee73ff1837486545c8ff82aac84c1cee1ca225f71951ad477885406c00`
`font_02_sfnt_off0000f42f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF42F	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_03_sfnt_off00010c41.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10C41	18976 bytes
SHA-256: `75b53d4d0ded888198261bb0eb348eb920afdce31449217ad5a8a509e408b0e2`

Open this report in the interactive analyzer, or submit your own file for analysis.