PDF malware analysis — malicious · ce1bc4c2415a1213

MALICIOUS

PDF

104.9 KB Created: 2021-07-12 22:01:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20

MD5: b19554ae3eb0370a3fda8e8f9bb87ff5 SHA-1: 29e57248f341116da621f5b9fd4b9b452d97279f SHA-256: ce1bc4c2415a1213435dc71edf34b17b5b118813b363cd8a56790196b60df839

66 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a Pdf.Phishing.Trojan signature. It contains embedded URLs that, while currently flagged as benign, are indicative of a phishing attempt. The PDF structure itself is unusual, being generated by wkhtmltopdf, which can be leveraged to host malicious content. No scripts were extracted, but the presence of external URIs suggests an attempt to redirect the user to a malicious site.

Machine Learning

Nyx PDF Classifier suspicious score 0.3225

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/7R6buoffwiA/square?utm_term=what+does+cuarto+mean+in+spanish PDF link annotation
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e898571534e367035353fd/1625856088098/systems_biology_book.pdfIn PDF document text
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec834e668ba31612b6065e/1626112847046/wsdl_to_java_example.pdfIn PDF document text
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec8467d0153e73bf8be526/1626113127648/lobsang_rampa_the_cave_of_the_ancients.pdfIn PDF document text
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ec794aad1bf7105ccad11a/1626110282189/ximagavexilefuwo.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000112ff.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x112FF	16444 bytes
SHA-256: `8ae84c7b98dd32b1eeaea15851f305d19d653c1e20991e9a3877098ecb715807`
`font_01_sfnt_off000129c5.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x129C5	24276 bytes
SHA-256: `6c5a7599827962432d4e6f1ba9dbd65bf23ef38cf1090fe879a1c358cd9fa669`
`font_02_sfnt_off00016677.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16677	10824 bytes
SHA-256: `9d8391f5e5ac75621b316c4f64d0269e011db1fa2998717613d3db7abdd28fe3`
`font_03_sfnt_off00017f4a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17F4A	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.