Malicious PDF — malware analysis report

Static analysis result for SHA-256 d05eddf922c0fc9b…

MALICIOUS

PDF

77.7 KB Created: 2021-07-18 03:11:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 70aa565f6d8626cb876804917e22c2f3 SHA-1: 93a343e17e71fd12db0a5bdcba69819457061a32 SHA-256: d05eddf922c0fc9b7066e6170952756d2c31182971d8443a0d653757d7062a5c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample was detected by ClamAV as Pdf.Phishing.Trojan and an ML classifier flagged it with high confidence. The PDF contains embedded URLs, suggesting it is designed to lure users to malicious content or download further stages. The presence of these indicators points towards a phishing or exploit-based attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8897

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/k6oGaauGqGM/square?utm_term=create+your+own+rss+feed
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f34d59fb6d8f5e805872f5/1626557785604/swelling_left_foot_icd_10.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e79a314aaab0286a871d91/1625791025390/what_is_the_collective_noun_for_robbers.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ee1e921f51426150cacaa8/1626218130429/bible_verse_about_counting_blessings.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f0bfc3b238236d232d1650/1626390467361/tikavo.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ec90ba478ebe26bfc67f74/1626116282851/wickedwhims_not_working.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec7ca067baa26076bb1494/1626111136765/can_i_add_comments_to_a_file.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d039.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD039 16792 bytes
font_01_sfnt_off0000e850.bin
bdbed5d1d29909cbcafdbdf336f42156e696cd9774eac29b6fc35bf574562acb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE850 10540 bytes
font_02_sfnt_off00010094.bin
f12f10505e61a44d6007aac29e2465ff6e9ddfeca1a45378ad17b867dceb651d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10094 16280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.