Malicious PDF — malware analysis report

Static analysis result for SHA-256 c747774e5f981f51…

MALICIOUS

PDF

73.5 KB Created: 2021-07-17 04:22:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: c97b5563a8ac69d9eb80d9ef22f2c45e SHA-1: f5c5ea56979d5fa03bfc17749e7e0c32aa48eb40 SHA-256: c747774e5f981f516cecd44dee9ac4690c27d035b63d4dd1437c029c721b61ef
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected by ClamAV as Pdf.Phishing.Trojan, indicating a phishing attempt. The PDF contains embedded URLs that could lead to malicious content. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to lure the user to a compromised site, likely for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier clean score 0.2401

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/W5vEtEh6t-A/square?utm_term=yonder+meaning+in+bengali
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ecdb4b64a4563c8f75b53d/1626135371895/91047389156.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ee054d1c6c1a61d5293547/1626211661243/27271526280.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bcaa.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBCAA 16792 bytes
font_01_sfnt_off0000d4bc.bin
b336dc56f9634df5feb0d657693ea5d15a084436c6fba72780b6f6181ca2e67f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4BC 16952 bytes
font_02_sfnt_off0001013d.bin
ff7b82e1babd5c40d4f26d9cfe3e5623a8e48e4fee77428dbed583f464a82d5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1013D 10448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.