Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1876686ca27eafd…

MALICIOUS

PDF

97.5 KB Created: 2021-07-13 19:07:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 87b1dde92de892bcd7e8f2fb03a5518d SHA-1: fd87af9ad7ef980e8063759b054d719fb8581717 SHA-256: d1876686ca27eafd9cc23328f8bcee6bb1a390344107ed886045335f46d76de9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. An external URI, https://inwebjor.ru/square?utm_term=medium+quiz+questions+with+answers, was extracted, suggesting the document's purpose is to redirect users to a potentially malicious site. The document body is heavily obfuscated and unreadable, but the presence of an external URI and the high confidence threat detections point towards a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/square?utm_term=medium+quiz+questions+with+answers
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ec8ca9f4b4775d049fceff/1626115241086/rivibofejodowije.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ec82ee72e2584f2463479c/1626112750350/69958840273.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ed5aab1c817c33f6d5c29f/1626167979644/fitumuweneko.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ed8caa37bee829a28b1aa1/1626180779034/16003888945.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ec7c9c19a16f038d619b88/1626111132948/kilebexadoroxowogi.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ed2bb3f77a3e4a90f18d51/1626155955221/butterfly_pea_benefits_for_skin.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e796b169e16759cf71eb81/1625790129306/how_to_get_gallade_in_pokemon_shield.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e8111981471576eaef1985/1625821465905/you_are_stubborn.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e94111c22c005c9339b0c9/1625899281614/nokekikov.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e90fa28ce0e10532d2143c/1625886626853/3_numbers_that_multiply_to_36.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ecc2dd3b84fb5bce447d08/1626129117640/quotes_to_make_you_laugh.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ec7abf31b0b43e07e5edb4/1626110656098/animal_face_drawing.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000117e6.bin
6adf8f7dbef5e5cc10ebe97ab15edd9383329e3964a9edbdf98606be968a9b19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117E6 18508 bytes
font_01_sfnt_off00014882.bin
806b2819ba9455fbb68f7616da8172ca5fe450ce230d822607c2f15a83d86f9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14882 10852 bytes
font_02_sfnt_off0001614a.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1614A 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.