Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf0783f557673ed4…

MALICIOUS

PDF

91.9 KB Created: 2021-07-20 00:56:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: c885800881b6e7c1ea90adf47c21cb99 SHA-1: fd627bb957454fca81f534a2edb789776773829b SHA-256: bf0783f557673ed488d0b4dbb5d4c37caa73371d1e2c87ec66cdd9a8e7a5c17b
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ClamAV heuristic identified this PDF as 'Pdf.Phishing.Trojan-d2568dad23a94d95', indicating a malicious intent. The presence of embedded URLs, although flagged as benign in this analysis, suggests an attempt to redirect the user to malicious content. The PDF structure and embedded objects are consistent with malware delivery mechanisms.

Machine Learning

  • Nyx PDF Classifier clean score 0.1448

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/gOBB6uaVNRA/square?utm_term=jelly+and+marmalade
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e8855d6a45ae151fb4928e/1625851229568/22336364040.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f5f2999713c03b4bd3e057/1626731161129/about_indian_classical_music.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010510.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10510 16792 bytes
font_01_sfnt_off00011d22.bin
8e96daaaa4e3d3a00bfccc9c018eaa802b4a51cc7ae55bb6f232089a984a656b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D22 19128 bytes
font_02_sfnt_off00014e19.bin
b52bb9bc8f31a1cd08810ba5df84aeec60641ac9f28411ce85eda1960299c6f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14E19 10036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.