Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccc4e47a6800d10d…

MALICIOUS

PDF

145.4 KB Created: 2021-07-13 19:57:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: b3fcfd8eb8989b03728cd9f815a8ec3e SHA-1: 0c711eb5edabcdf9837bd8743031291249413aa6 SHA-256: ccc4e47a6800d10d37608160422efbdf41ff47c455f730aff9559ab7273b256e
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected by ClamAV as a phishing trojan, indicating malicious intent. The presence of embedded URLs suggests an attempt to redirect the user to malicious sites or download further payloads. The document body was unreadable, but the overall structure and heuristic firings point towards a phishing or trojan delivery mechanism.

Machine Learning

  • Nyx PDF Classifier clean score 0.2491

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/4aHNpQc2m6I/square?utm_term=biblical+meaning+of+30
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e92f5a2c5c2f6215c980c7/1625894746760/13488445489.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ecdb677ab2906137ce9dc8/1626135399480/all_about_lent.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e7e62352059f1ec1e4a655/1625810467560/how_to_add_photo_to_file.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60edb7a2c2b60e0ed5b75cce/1626191778352/detect_meaning_in_tamil.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60edb8fc834e745de9d364ef/1626192124936/definition_of_hiv_aids.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001b96a.bin
22947db83f5315ce6fbc8258a6e457707762d190b4a98cd3e65ee7cfff1504e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B96A 10800 bytes
font_01_sfnt_off0001d249.bin
23a72e96ede214da763618be469216698eb8c0b7647d4b98f4f1a817281d6f67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D249 19184 bytes
font_02_sfnt_off0001f2ae.bin
3727a2d860f45439b943b83d31d06e6f3308955145d4e014ee33d575b28c3451		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F2AE 17896 bytes
font_03_sfnt_off0002222d.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2222D 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.