Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2cc2b50356cceaa…

MALICIOUS

PDF

84.0 KB Created: 2021-07-13 04:24:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 7e9ceaa85040723fce5eb4d4d4c75f74 SHA-1: d04989cc733601f700791d4a149eda70b6d169a5 SHA-256: c2cc2b50356cceaabab24a7da58893596901415a23b5a9c9d3c955dc68200392
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged as malicious by ClamAV and a machine learning classifier, indicating a phishing attempt. The presence of embedded URLs, although many are confirmed benign, suggests an attempt to lure the user to malicious content. No scripts were extracted from this sample, but the PDF structure and heuristic firings point towards a malicious document, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5817

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/aauXj3bnHUA/square?utm_term=funny+quotes+by+famous+people
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e8340180504e0a776d6001/1625830401973/panama_currency_in_spanish.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ecb63db067801019599739/1626125885631/freight_forwarding_agent.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60eca7f3e4ca3800a11b3eaa/1626122227162/someone_you_loved_easy_piano_chords.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ec8edf11a746407a422d8d/1626115807655/46977781615.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e73e.bin
e5abb40a2d4ab41931b2dad477e344a0718bbd3f065d389ae6e8d7c4e6a7ef42		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE73E 16964 bytes
font_01_sfnt_off00011364.bin
a8a6434c4709536b19dcdc2f0ab8b51b111c402b95d60dbff955506387a2b66b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11364 10804 bytes
font_02_sfnt_off00012c2a.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C2A 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.