PDF malware analysis — malicious · b34752d7d7b158b8

MALICIOUS

PDF

74.0 KB Created: 2021-07-16 04:43:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 5959b366485b5ec2646ce45583465380 SHA-1: 9270939f66cc3162fd69ec1e46437a605b4c598b SHA-256: b34752d7d7b158b8251e772a20387713698ea9e65ef7c8a83203f8b1c34d1929

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The PDF contains embedded URLs, and while many are marked as benign, the presence of obfuscated content and the overall detection suggest it's designed to deceive users, potentially for phishing or to download further malware. No scripts were extracted, limiting the analysis of specific execution methods.

Machine Learning

Nyx PDF Classifier malicious score 0.9163

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/AnJPYMJXbyQ/square?utm_term=eliminator+battery+charger+manual+pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ed9aba42b28049586651db/1626184378924/father_and_son_guitar_chords_and_strumming_pattern.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ee14a1fc191471fc697fb6/1626215585277/first_thirty_elements_in_periodic_table.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ec903a8c19ad4998dbf29b/1626116155101/36561210146.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e7b8315c1b8460033cffca/1625798705746/small_tits_video.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f033f10d8d0805bdb7f442/1626354673447/best_tv_show_ever.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e7e7e345e16b3be7ea5b69/1625810915838/federal_court_lawsuit.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ed1e20c50d503b9d54ea70/1626152480515/saliva_coming_out_of_mouth.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c30c.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC30C	16792 bytes
`font_01_sfnt_off0000db23.bin` `901d6da5441c1d1a8116ddc73cac1022bba151d3edb2269c2251f6e7d002a717`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDB23	11236 bytes
`font_02_sfnt_off0000f4d2.bin` `edff7145a1f6d044282b5403875a7329a42f076a128e44b60831ab9a922791da`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF4D2	15332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.