Malicious PDF — malware analysis report

Static analysis result for SHA-256 d178d61d0ab78dd6…

MALICIOUS

PDF

119.9 KB Created: 2021-07-21 22:34:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 7f8e10fa66bc2bff08be436f5c19cb6e SHA-1: 04ae03ee42f293549a5d696425402e54f5575710 SHA-256: d178d61d0ab78dd6f9afb1e6c13c71489600568a50d6daa9e1b350dfdcd7922b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The presence of embedded URLs suggests a phishing or credential harvesting attempt, likely leading to the download of a secondary payload. The file's structure and detection patterns are consistent with known PDF-based malware delivery mechanisms.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/kVSxLQpkboc/square?utm_term=ff1+mirage+tower+map
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e900f3854c1d3b3485b79b/1625882868067/what_color_goes_with_purple_and_orange.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f3949f1ad9bf1c32b751f9/1626576031296/tulan.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ee5ace27fa864c7d1397bc/1626233550667/short_notes_for_civil_engineering.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e929908fb24157da705cc1/1625893264995/foundations_of_earth_science_6th_edition_free.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f4fed4ec5ad00cc0a3e80a/1626668756989/what_is_primary_data_in_research.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60f079d13f5e7b0f5ec4b49a/1626372561942/fnaf_the_twisted_ones_full_book_free.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60edc106e11d817478ced6d7/1626194182355/rijugaku.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ec8e77e4ca3800a1187c46/1626115703955/16164165590.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f5064d860d895b483c3be4/1626670669262/heart_murmurs_affecting_the_left_atrioventricular_valve.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f0c38d2606b657d35154c9/1626391438321/apa_7th_edition_in_text_citation_3_authors.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f4d39226c2747482f17b1b/1626657682982/fopobolo.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e94218c91b61347ea4a72f/1625899544606/beauty_and_the_beast_brothers_grimm.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ee1265f72ce0266e0c688b/1626215013457/energy_transfer_and_transformation_worksheet.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ee1c002a4cda17625ba5c1/1626217472888/12471182481.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f2e46f54c26a0cc3f64a36/1626530927360/rotebemamusevose.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f6a9afb3e1e27e714916fe/1626778031357/impssible_quiz_2_answers.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e8f29258c6623f037fe478/1625879187129/81220557726.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60edeecaba7c7f743c1ef245/1626205899133/cure_moderate_wounds_3.5.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ee404f86aa876280bcda91/1626226768005/name_symbol_and_atomic_number_of_first_30_elements.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f589741d3507074239a3ff/1626704245255/lower_stomach_distension.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f777613fe7684a17b6896b/1626830689819/money_laundering_control_act_of_1986.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000173f2.bin
254013ac33b9bd8ab8e67721680a44e39c01d21d236513bd2dd3c1469097a90c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x173F2 10496 bytes
font_01_sfnt_off00018bed.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18BED 16792 bytes
font_02_sfnt_off0001a3ff.bin
9a317759ef8a83962c7581a5a565f3120cb859222b2bf6e10af7fa8f44da6707		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A3FF 17200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.