PDF malware analysis — malicious · b9da49f78b211112

MALICIOUS

PDF

74.2 KB Created: 2021-07-20 21:50:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20

MD5: b12cd51e41626f286bef1c1d1c2068ad SHA-1: 5444ed11319230885d7e6d0bd4d4361b1aa101f9 SHA-256: b9da49f78b211112706fbf8f3e4ad8a6f113661482ed81b0407fdc492701d3b9

66 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The ClamAV heuristic identified this PDF as 'Pdf.Phishing.Trojan-d2568dad23a94d95', indicating a phishing and trojan payload. The presence of embedded URLs, though many are marked as benign, suggests an attempt to redirect the user to malicious content or download further stages. The file's structure also shows duplicate object bodies, which can be used to obfuscate malicious content within PDFs.

Machine Learning

Nyx PDF Classifier suspicious score 0.2686

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/AnJPYMJXbyQ/square?utm_term=the+best+way+to+learn+is+to+teach PDF link annotation
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f5641225edf12306724011/1626694676092/at89s52_microcontroller.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f2ae6c54c26a0cc3f46b98/1626517100695/one_way_out_solo_tab.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c2a8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC2A8	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off0000daba.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDABA	16180 bytes
SHA-256: `b453a0b4d830db08db426ff3e27e61ae20fbc6dbdb75348df582892f40ab7943`
`font_02_sfnt_off0001046b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1046B	10628 bytes
SHA-256: `ec2b2b406fbab7975468764e140faa11120b036dd9a58c5216ed80a683296405`

Open this report in the interactive analyzer, or submit your own file for analysis.