Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9f9fb37a8835355…

MALICIOUS

PDF

75.6 KB Created: 2021-07-12 21:03:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: a2f72a9d29fd544c16a950f5c6b3711f SHA-1: 68e7ae7076a44481b0b0a4f4fecb94d07d157686 SHA-256: c9f9fb37a8835355a0418120028c6b8993b3ed63e29de9914a5ac12117788c02
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing attempt. It contains an embedded URI pointing to an external website, which is likely the malicious payload delivery mechanism. No scripts were extracted, but the presence of an external URI strongly suggests a phishing or credential harvesting attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7703

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/square?utm_term=is+it+good+to+poop+twice+a+day
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ec784b4027437375955575/1626110027336/will_banks_raise_interest_rates.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ec7b72c217102653d549dd/1626110834806/easter_april_fools_day.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec7e99fe047727940b2d34/1626111642012/objectives_of_financial_statements.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c8b4.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC8B4 16792 bytes
font_01_sfnt_off0000e0cb.bin
bcf08ac016ec83a346bf64ab5c75ae84be576feda01d1ce94f85368b7837b740		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0CB 10588 bytes
font_02_sfnt_off0000f8ff.bin
f5971e91223855fd6cb62263ba04db78fb061161464a82927307f5af31f588fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8FF 16200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.