PDF malware analysis — malicious · bf97af91d4b10915

MALICIOUS

PDF

78.2 KB Created: 2021-07-16 23:26:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 1dd454df29c11029cae957625bdb786f SHA-1: b5e9bfab5ae99b861a2422fc0c29561716da9e54 SHA-256: bf97af91d4b1091522009f501ba49c34ab4e47b70c1e10fad25d1cb4d03cd0c2

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is a PDF document that contains an embedded URL. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware delivery. While no scripts were directly extracted, the presence of an embedded URI and the overall detection suggest the document is designed to redirect users to a potentially harmful external resource.

Machine Learning

Nyx PDF Classifier malicious score 0.9478

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/iCUEKX862tE/square?utm_term=the+chateau+inn+and+suites
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60f06d2e93de1c7b8a0ae53d/1626369326928/9th_english_first_lesson_question_answer.pdf
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60edda5010369373fd838aaf/1626200656493/restful_web_services_caching_example_java.pdf
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60efe406b3de5a36b1257b83/1626334214592/17694261542.pdf
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e8cc34c5d9771337095075/1625869365093/db_window_cleaning.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ec87d2668ba31612b68180/1626114003966/tuxabovomawin.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e780e31d9e4b18261799a4/1625784548049/royle_family_bloopers.pdf
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ec7e94b6dedd3ae16836f2/1626111636318/creamy_seafood_risotto.pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e7834d78488c5f36a11d85/1625785165472/jenuxu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000cfa1.bin` `6c7ad5905e194fd2f82d241cb017c0d21be17082da775db5d64f61b691ce6788`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCFA1	10264 bytes
`font_01_sfnt_off0000e6a9.bin` `41a31eb8ff51d1fed31c2d077a9fadd2dfe4b042a81151560a702f6533983df1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE6A9	17684 bytes
`font_02_sfnt_off00011487.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11487	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.