Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6a7b95a6f34c7c9…

MALICIOUS

PDF

82.0 KB Created: 2021-07-14 01:49:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 16ab1741f2f89b924a9fe47437616ae4 SHA-1: b0156ef16072dbec2dc34cbc33f24ec84d607223 SHA-256: b6a7b95a6f34c7c9f32196777787dce82db9c181e2047dc356c9e45a8aabc365
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a 'Pdf.Phishing.Trojan' signature. It contains an embedded URL that, while currently flagged as benign, is a common tactic for phishing or malware distribution. The document body is heavily obfuscated and unreadable, suggesting an attempt to hide malicious content. No scripts were extracted, but the presence of an external URI heuristic points to an attempt to redirect the user.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3705

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/cEZ-xJcQpFE/square?utm_term=100+chinese+yuan+to+sgd
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e8cea85ef51a130ea07773/1625869992073/convert_to_word_pictures.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ec805d0d838b6c850c990d/1626112093677/79068868427.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec85c7c217102653d6781b/1626113479438/61601877174.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e8bd4c5014d954a6663565/1625865548244/74177778239.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d3a5.bin
d8cf5758b7ad2e37f6537d2bd21c406e8b161e5f6217af9fafee01d68d723dbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD3A5 2764 bytes
font_01_sfnt_off0000df49.bin
38bc37c2188bcfdb7e2b6b1b2286ccc526ca45c743f14bb9891241174ba9a296		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF49 17088 bytes
font_02_sfnt_off00010aef.bin
66afb8c188dccc82f7e6b84d5f42a2710bcd5b626c4a40cfd3ff0707904d5992		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AEF 10792 bytes
font_03_sfnt_off0001239b.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1239B 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.