PDF malware analysis — malicious · c2923d66ad85b8fa

MALICIOUS

PDF

77.7 KB Created: 2021-07-18 16:53:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 848d330c6eca177f1f7adac028ae799d SHA-1: b5b55a18de5f02a32cd58d49af476bc0f6ef2968 SHA-256: c2923d66ad85b8fa71e738092ac6321dfa71c6e9fe8d58c9cdcf8cbd45be594b

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The sample was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The PDF contains embedded URLs that likely lead to phishing or malware distribution sites. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it is designed to trick users into visiting malicious sites, aligning with phishing attack patterns.

Machine Learning

Nyx PDF Classifier malicious score 0.9214

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/0YvHz_IItD0/square?utm_term=pacific+power+outage+today
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f1737fc699444e2e44c570/1626436479505/54713062640.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f357a404a1d970179c1862/1626560420324/togo_african_country.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e7c09d9ebc0053f3152b34/1625800861710/kind_of_bacon.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ee480e9b1e4d6a360deddf/1626228751110/xipilurukotutovalow.pdf
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e8f4812a6f785f5832666b/1625879681717/52980918417.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f35c136678663e6a30e032/1626561555185/cha_cha_to_the_left.pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60f0ee3093f2b300380b4109/1626402352557/using_a_3_season_tent_in_winter.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000cf62.bin` `09dbb8fc25f0aa4ac25acbc8416f3a0de8a1cfad5d6c74016bee18375983a059`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCF62	10776 bytes
`font_01_sfnt_off0000e83b.bin` `37ce2c7d79494a647aabe3cc11261e521bfb393f32454e0d804b5d504209c124`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE83B	16448 bytes
`font_02_sfnt_off000112cd.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x112CD	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.