Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5d5b872e26449bf…

MALICIOUS

PDF

76.2 KB Created: 2021-07-14 00:34:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 62e861bd7c02f7f4278d7e33e641fada SHA-1: 94275b9006e7d605db42af70769dc43a8255362a SHA-256: b5d5b872e26449bfe1c3459bdd439727c6ce1cc9bd44ef8fded96c0c515ea2d9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a phishing attempt. The PDF contains embedded URLs, one of which is a Google feedproxy URL, suggesting a potential lure to a malicious site. While no scripts were explicitly extracted, the presence of embedded URLs and the ML detection strongly suggest an attempt to redirect the user to a malicious resource, likely for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9125

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/UZrB20b2Dcg/square?utm_term=roasted+broccoli+in+air+fryer
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec810a72e2584f24631728/1626112266655/peboneluxofip.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ec99025338e9546e48f047/1626118402936/whens_the_next_world_cup_soccer.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e7de1d23621b4743e42e2f/1625808413254/print_to_option_not_available.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ee04653e011143712c41b6/1626211429320/37695948649.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ed657fdacdbe35d6297eb4/1626170751526/pirated_books_meaning.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc41.bin
1d2d38eca789c30c898ef3fdd6ea5f7120b1b48949cc9ab8ddceea87590d1977		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC41 15496 bytes
font_01_sfnt_off0000f409.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF409 16792 bytes
font_02_sfnt_off00010c20.bin
6b854128e1702b1e83d0ba8fd9c502fe063c031a4f1b36b63d3ebd3c4a81e892		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C20 10768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.