PDF malware analysis — malicious · b64d846255aec9d3

MALICIOUS

PDF

73.6 KB Created: 2021-07-17 01:45:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 9340c9c78ac7aab9bd71aa4cb09478c6 SHA-1: 829f97a28941224407132aae92d59f3a591ff7ac SHA-256: b64d846255aec9d3e9e564f8b695d9256559900bf2c83fd18b628eb49bcf56fe

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0' and an ML classifier indicating maliciousness. The presence of embedded URIs, even if some resolve to benign content, suggests an attempt to lure the user to external resources. The file's structure and detection patterns are consistent with a phishing or trojanized PDF.

Machine Learning

Nyx PDF Classifier malicious score 0.7882

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/0YvHz_IItD0/square?utm_term=stencil+face+drawing
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ec94e39cb57f380a790c69/1626117347693/movie_quizzes_and_answers.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ee7b86fc191471fc6fdd26/1626241926974/bevib.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f1f7d7bad1536f43d6090e/1626470359280/tortillas_and_cream_cheese.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ee08937dee9f188f743e17/1626212499696/patient_confidentiality_meaning.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c2db.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC2DB	16792 bytes
`font_01_sfnt_off0000daed.bin` `c275032fdd9c9d8b126e5368d6c272e49ea6c6631f07fccd3a4f3e7250141539`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDAED	15568 bytes
`font_02_sfnt_off000102ba.bin` `0736ef1584d5654096dceefb434e757d4cc2a2ce2295aaae2267e5f0eafd56b7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x102BA	10524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.