Malicious PDF — malware analysis report

Static analysis result for SHA-256 b81695cf53d550d3…

MALICIOUS

PDF

73.3 KB Created: 2021-07-12 21:41:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 56d7363f621856732ce79890d712750c SHA-1: e32afd7c9cd35f196877ddd3382538f0fb841a6c SHA-256: b81695cf53d550d388441f10ed34dd4d1d132905e734e2c5ba3c01bbfa8d84e0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged as malicious by ClamAV and an ML classifier. It contains an embedded URL pointing to 'https://catamma.ru/square?utm_term=toy+story+fingerstyle+tab', which is likely part of a phishing or malware distribution scheme. No scripts were extracted, but the presence of the malicious URL suggests an attempt to redirect the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6030

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/square?utm_term=toy+story+fingerstyle+tab
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e841a402850865eb89bf68/1625833893113/16017419731.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e8c597596d362fd0fc0ae0/1625867671494/muwabuwunomusetew.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e889e9455dce08fe7df29a/1625852393703/93703429609.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e77aa7906000174a5f4eaf/1625782951932/how_do_i_stop_cheating_on_my_wife.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bbe9.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBE9 16792 bytes
font_01_sfnt_off0000d3fb.bin
a7885a3c5673bdd16e2b78733af4c6214a72229c728c53971300da2ede01a750		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD3FB 16556 bytes
font_02_sfnt_off0000ff6c.bin
ae72e891a326a02a03154bb0046aac0389d3b9ee583b8ea3dcd840e85174f362		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF6C 10608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.