PDF malware analysis — malicious · a25c7145c66345c9

MALICIOUS

PDF

77.5 KB Created: 2021-07-18 00:57:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 6f26d48ae9fa8c6b201c2b17c1bd5540 SHA-1: be7ada9f969cfb8bd503b17569b89bb1cf51e408 SHA-256: a25c7145c66345c9139a5da34c006dddccff57015339cce2cb3a425e7d290be3

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The sample was identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains embedded URLs, one of which is a feedproxy URL that resolves to a benign page, but the presence of multiple embedded URLs suggests an attempt to redirect the user. No scripts were extracted from this sample, limiting the analysis of its specific execution behavior.

Machine Learning

Nyx PDF Classifier malicious score 0.9163

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/-MXWpcYQ7kA/square?utm_term=perpendicular+point+slope+form+calculator
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e8bc45e5d4731e3e95120a/1625865285883/types_of_bill_of_lading_in_export.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ee6185ab0cb8743be6e407/1626235269094/null_clash_of_clans_latest_version.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60eda9158b6fd728761653f8/1626188053858/53528500782.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f34c27deec5816202f0eb4/1626557479695/66972915194.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ee24af2af4c01978fb2d07/1626219695334/no_weapon_thats_formed_against_me_shall_prosper.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e93f66f107ff2467e9fffd/1625898854944/physical_signs_of_burnout.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e932c5c4c1a734c5d76b1f/1625895621346/xinesotirekoxixipuzikep.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000cd3c.bin` `cbb45b0fbccac87b498d471600b6592d0137aee51040c85fbd4f85087981a3f7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCD3C	10884 bytes
`font_01_sfnt_off0000e65c.bin` `5815292bc3732a643d9512be74493844db0fcec4558d5029e5476eed28f33ccc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE65C	16648 bytes
`font_02_sfnt_off000111d8.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x111D8	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.