Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc9b30f790e90753…

MALICIOUS

PDF

84.0 KB Created: 2021-07-13 17:18:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 1c79d4a556d8cb4777e13eb866216f0e SHA-1: f665688efbb4801a2dd97110978535570093fe3f SHA-256: cc9b30f790e9075357a0a5d38a410a892908d3dd49aa880d6830291b24c36507
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, indicating a high likelihood of malicious intent. The presence of embedded URLs, despite some being marked as benign, suggests an attempt to redirect the user to potentially harmful content. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the overall structure and heuristic firings point towards a phishing or malware distribution attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8298

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/-MXWpcYQ7kA/square?utm_term=history+of+songhai+empire
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ec706fa1f8f93f64a9fefb/1626108015728/gobura.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e771f63e792b6fba2ed418/1625780727059/20947542375.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e9395b025aa46e30d397b1/1625897307197/jefelijagegorodib.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e910d85ebba154a8fb8cc2/1625886936723/23568086404.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ed5484eaa19e084bbf547c/1626166405098/what_nuns_do.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9d5.bin
c75444530f2d30437d24b3d19051042646f04e76dd11618df6419c6881a93228		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9D5 28400 bytes
font_01_sfnt_off00011379.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11379 16792 bytes
font_02_sfnt_off00012b90.bin
531abfaeab055f5099b3c5ff87d89a32705bac4e71a35ccd85daf195f85075f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B90 10864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.