Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9e46461fcbec975…

MALICIOUS

PDF

70.7 KB Created: 2021-07-13 02:40:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 03bc3987551d027951a0fde559be4f40 SHA-1: ec416019e3e9b14c17722447a85cacf4684e8834 SHA-256: b9e46461fcbec975b5be1ac533d397f1eb77803511654067a4d131e58c56f545
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains embedded URLs that likely lead to malicious sites. Although no scripts were explicitly extracted, the PDF structure and heuristic firings suggest it is designed to exploit vulnerabilities or trick users into visiting phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6193

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/v-xubMviL4Y/square?utm_term=what+causes+orbs+in+photos
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ec8be5b8cbe518df58bd91/1626115046111/tethering_phone_to_tablet.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e905a3b630645a0ef6498a/1625884067748/places_to_sell_copper_near_me.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ecbb29caf21f280d7c7229/1626127145660/fejirulefeworedofemenita.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ec91aabc6eee4b058f5c38/1626116522776/10091255057.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b751.bin
8fe109429c607d2b421e691eda96460b4fd3fb9fa0d5beaeaf3d9c72b6e27c97		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB751 15652 bytes
font_01_sfnt_off0000e005.bin
2854191e742f391899b23fe1177f177102ede29ac707b92318246c247fdbdca3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE005 10660 bytes
font_02_sfnt_off0000f83c.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF83C 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.