Malicious PDF — malware analysis report

Static analysis result for SHA-256 b531d33d039bdee9…

MALICIOUS

PDF

84.0 KB Created: 2021-07-13 00:35:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 998bbb1e59a743e0382dc02584850b07 SHA-1: cd1e0018be583c54eeca3f190d8d7e255b7db1ef SHA-256: b531d33d039bdee9cecc280e0105322b4685bd93a83c2f9bd77eedd900c6e629
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected by ClamAV as Pdf.Phishing.Trojan. The presence of embedded URLs, even if some are confirmed benign, suggests an attempt to redirect the user or download further malicious content. The PDF structure itself may contain exploits, leading to the execution of a secondary payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.1717

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/kVSxLQpkboc/square?utm_term=6+less+than+the+quotient+of+z+divided+by+3
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ecb09d45c1203003614be9/1626124445544/1_tenth_of_50.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e88315f3a1f037b37135fa/1625850645666/pay_as_you_earn_and_self_assessment_hm_revenue_and_customs_bx9_1as.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ecb1d558bd604bb873a1dc/1626124757441/pacify_horror_game_free_download_for_android.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c33c.bin
6c59d653a396e159ebc4ee23294da0bf914da2c71d17ce4f7f8729c4bf237706		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC33C 11220 bytes
font_01_sfnt_off0000dd59.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD59 16792 bytes
font_02_sfnt_off0000f566.bin
8e277f0a6446527d6662d7b763b51fdd4d61795ade0d1f8e615dd6ae0fa8fe66		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF566 1664 bytes
font_03_sfnt_off0000fd4f.bin
87523c2975ca2323a72bf1aac00fae92f60eadd20856e87ac25730861e3ad129		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD4F 17724 bytes
font_04_sfnt_off00012bd5.bin
fd494554c7a7a2c4488382a78096c535ff133766c7221992be4f6a58596b2467		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BD5 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.