Malicious PDF — malware analysis report

Static analysis result for SHA-256 bff6cb671acd30fb…

MALICIOUS

PDF

83.7 KB Created: 2021-07-21 06:32:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: c1f2bdf513f92c1b6ede053f7b3feb75 SHA-1: 8c2dd9981fcf86ccf5a2b1ae9c4c8adedd2dd8e0 SHA-256: bff6cb671acd30fbe4a635709cf1fddd44888747af5f7112f696390df723fa8d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF document flagged by ClamAV as a phishing trojan. It contains an embedded URL that points to a Google feedproxy, which in turn redirects to a Squarespace page. While the specific Squarespace URLs appear benign, the overall detection and the presence of an external URI suggest a phishing or malware distribution attempt. No scripts were extracted, limiting the analysis of the exact payload delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6221

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/S-4CHg4Qmwo/square?utm_term=anatomy+and+physiology+chapter+9+test+answers
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f7445a59cd6b21980a92b9/1626817626955/21448355196.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e945f6f107ff2467ea1c2c/1625900534329/blind_date_mod_sims_4.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f6d3c70aae330909d9b4a8/1626788807775/what_is_the_legal_age_for_a_job.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e86b.bin
fb126174e7344922a2d9cc9ece3403b9bc1ee84b71d2f000c69706ef0ea6dc3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE86B 11308 bytes
font_01_sfnt_off000102c3.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102C3 16792 bytes
font_02_sfnt_off00011ad5.bin
9bc7c688e7084833803b0f113eed161e5ebc12ff52e821b375ee5f08533b2098		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11AD5 15548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.