PDF malware analysis — malicious · 9f98140904bd1a61

MALICIOUS

PDF

92.2 KB Created: 2021-07-18 16:47:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 2f81125c63b45678bde944cbeec85f84 SHA-1: 5280dcc4c2e2dbb0f854f19cbf8c2b14f2392b6c SHA-256: 9f98140904bd1a610961fa412d6a2c5526bd533c7f6012d840a76af32b9d5681

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The ML classifier and ClamAV detection strongly indicate maliciousness. The PDF contains embedded URLs and obfuscated content, suggesting it's designed to lure users into clicking malicious links or downloading further malware. The presence of PDF_URI and EMBEDDED_URL heuristics points to the exploitation of PDF vulnerabilities or social engineering tactics.

Machine Learning

Nyx PDF Classifier malicious score 0.8712

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/EjZ5HCEZs_A/square?utm_term=earthquake+resistant+design+of+structures+lecture+notes+pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ec98afbcf8be39b507205f/1626118319980/i_love_lucy_bloopers.pdf
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e8005480504e0a776b05ae/1625817172577/homosexuality_in_humans.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f3be78d68f3225905e21c8/1626586744691/michelle_williams_believe_in_me.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e78d2fadf2c26882fbc65c/1625787695120/44406275222.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e8e56b2f3c4128e1871cab/1625875819188/xazogiz.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f174307c30ad68c6420124/1626436656749/let_them_eat_cake_meaning.pdf
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f29d21b84a576e6cf89f0c/1626512674099/vfw_national_bylaws_and_manual_of_procedure.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000106f0.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x106F0	16792 bytes
`font_01_sfnt_off00011f07.bin` `88ee2dcf7787aa726d4d1d95e2a123dc4fe827e5ec9c920bf2923e63249aca10`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11F07	11220 bytes
`font_02_sfnt_off000138c3.bin` `d234146380021aeeb83b16447753b50f95defc191908b7ffd8d6104ee4312225`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x138C3	16676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.