Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1e2a1ca55bf2491…

MALICIOUS

PDF

88.7 KB Created: 2021-07-19 01:02:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 76b7253c443ef3e4442a2f51935392e4 SHA-1: d6f8f3c589835dc88c2079feda3a74e939ed0e72 SHA-256: b1e2a1ca55bf24917ca6ae66eeaf5a8e719706d11e0448e72568e6b5e3c9d6c6
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The presence of an external URI suggests an attempt to redirect the user to malicious content. While the document body is unreadable, the heuristics and detection names point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6359

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/um1bUVUAM38/square?utm_term=ecg+master+replacement+guide+pdf+free+download
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f4420732548145d7937bd3/1626620423650/i_lost_my_penalty_charge_notice.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60e81c6048fdc259404395a9/1625824352123/6876686056.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f261ece615ea111e602281/1626497517119/dna_structure_to_profiling_worksheet_answer_key.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f854.bin
980ce1a584fd2e0b33d1a937164a833f772d088c1567eccb1c57e9e1f3d3def1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF854 17024 bytes
font_01_sfnt_off000124f2.bin
b9fe6848e71d82d19ff71debf9a65f1cb0ad745aa384b54308d4126768a392f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x124F2 11132 bytes
font_02_sfnt_off00013ec1.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13EC1 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.