PDF malware analysis — malicious · a76bba4a249f25a7

MALICIOUS

PDF

77.1 KB Created: 2021-07-14 04:40:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 089f4ac5df0773b76d23c04ce1717421 SHA-1: ef12f09404ce052cacb1540fc3c3a2a78326c3eb SHA-256: a76bba4a249f25a7a4d0edbb330086fc67e61710179b94d06096cd4d5a93ea68

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by both ML classification and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs and the PDF structure suggest it is designed to exploit vulnerabilities or trick the user into executing a malicious payload. The specific attack pattern is likely related to phishing or malware delivery via a document attachment.

Machine Learning

Nyx PDF Classifier malicious score 0.9680

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/-7-cX3opz_8/square?utm_term=worksheet+on+water+for+grade+5
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e889c1c4746d4c4c77e003/1625852353493/the_king_of_queens_season_4_episode_6.pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ee17dae9cbfe6c2fe50a9e/1626216410064/codeword_missing_letters.pdf
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e77ccd95336864b54083d6/1625783501957/62124155293.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ee0ca384a0477e84a79e4f/1626213539244/matlab_exercises_and_solutions.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ee2e1afb3cc800db5456f1/1626222106259/18326883072.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ec831a82b4c978cf41a22f/1626112795001/the_lateral_dimensions_of_class_d_airspace_are_based_on.pdf
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ee1074f6c772366d2a7ee1/1626214517108/learn_routeros_second_edition.pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60eddec137ddb5439bf6d3c1/1626201793960/47178881062.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000cb8a.bin` `7b0be4aa353be7b1c15ad3f717df80ce0185052dc9d851dd6bea2f1431ea25e3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCB8A	10800 bytes
`font_01_sfnt_off0000e454.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE454	16792 bytes
`font_02_sfnt_off0000fc66.bin` `bd7de85fa697af812b9067998b397ad8c27a53d3eef51de02d7182b94fe28cd4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFC66	16284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.