Malicious PDF — malware analysis report

Static analysis result for SHA-256 a376048c49d72cd7…

MALICIOUS

PDF

80.5 KB Created: 2021-07-16 10:25:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: d375cb42bba08d5270bcd1aea7e86a50 SHA-1: 02ecce70194b551a77a4d97af660f9d9ee8c24ed SHA-256: a376048c49d72cd7788b422fae97d9a6b79cfd75379c766d866f9017e473ae8c
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample was identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. Heuristics indicate the document uses an advance-fee scam lure, presenting language associated with prizes or funds and parcel delivery requirements. While several URLs were extracted, most were confirmed as benign, and no scripts were found within the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6556

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/iXsW93xxTQA/square?utm_term=java+certification+books+pdf+free+download
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ec845767baa26076bbdd20/1626113111679/the_spleen_is_unique_among_the_lymphatic_organs_because_it_stores.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e90ea06e267257943a2239/1625886368342/gifebov.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e7708341361c2fc3ff4435/1625780355433/zenipuse.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d7fe.bin
256670ebc06d6181fb8b63b9dd0a2ba390507a97c75a592ca933edbace440277		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD7FE 10988 bytes
font_01_sfnt_off0000f181.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF181 16792 bytes
font_02_sfnt_off00010993.bin
9b659bd481172d2f2811acc0207f5e99820e3f6493c463f63f6a4ccd7e65e81e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10993 16920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.