Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae1f583c14cac758…

MALICIOUS

PDF

73.0 KB Created: 2021-07-12 22:56:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 86853c48570d4222cbee65635bdb9028 SHA-1: c14911dfa7e1e73ea5d522f462616a332a3971ad SHA-256: ae1f583c14cac758589633f4f31cc9e8cefc91edb94b6cbcd599aa8fd8323a6a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. The presence of embedded URLs suggests an attempt to lure the user to malicious content or download further stages. The file's structure and detection results strongly point towards a malicious document designed for exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8216

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/XMoLd4EPXkg/square?utm_term=the+equivalent+capacity+between+a+and+b+in+the+given+figure+is
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ec7803950202184f0f4b7b/1626109955513/35287168931.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e8efd6c14ff043cd5a74fb/1625878486974/easy_poster_colour_painting.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ec87ae8300fd66e196bc6a/1626113966704/cfcs_and_the_ozone_layer.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e7a6f74b964f05b8453b9b/1625794295098/33737610811.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ec80f9c3fb560d26f2a3e7/1626112249832/54417108687.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b785.bin
1f4bbaa0e993beed09a21aff4db8f1867651fb0ba206f3a66e521a95cdb39c32		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB785 11392 bytes
font_01_sfnt_off0000d1ab.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD1AB 16792 bytes
font_02_sfnt_off0000e9bd.bin
9f52258021ef8b88d3fe93bff1bd6e3dc1b20fda93139396b40ef6926361851c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9BD 17496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.