Malicious PDF — malware analysis report

Static analysis result for SHA-256 c857c18553e765e1…

MALICIOUS

PDF

86.4 KB Created: 2021-07-13 23:55:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 350ff8a8ad0061c640c77a9eedb4e008 SHA-1: 498dccaad4cf2290a3a93fee8e430d0422131d06 SHA-256: c857c18553e765e1db0477e5372e4200773137208db74c1718c95eb18c300221
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected by ClamAV as a phishing trojan, indicating malicious intent. It contains multiple embedded URLs, some of which are confirmed benign, but the overall structure and detection suggest it's designed to exploit vulnerabilities or trick users. No scripts were extracted, limiting the analysis of specific execution methods.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3690

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/-MXWpcYQ7kA/square?utm_term=the+moonlight+drawn+by+clouds
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ecabcde0ada229be5ac36b/1626123213284/how_many_spades_in_a_pack_of_cards.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e85dc55a77f7003fb64d66/1625841093848/zafopak.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e932e90a287971af9a8e64/1625895657869/20404293098.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d42a.bin
75bfa1c9e66a14f84ac3b3793c036b5740c696b374e6f4ea8625cde00856db03		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD42A 29364 bytes
font_01_sfnt_off00010e71.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E71 16792 bytes
font_02_sfnt_off00012688.bin
38a55553e2973c9879a17af4a4b05470e2310948cc875ce1955ab6d113f816d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12688 11220 bytes
font_03_sfnt_off0001406d.bin
5a8ebcd58eb57a4b8dd0fae0335c5430225610603c44915cbc47ccf2db1a538e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1406D 2572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.