Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3fe01b981f539cb…

MALICIOUS

PDF

73.3 KB Created: 2021-07-13 15:54:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 18fb2756df05eb716fc3f6498cac8448 SHA-1: 5cd076aa5500baa44497daca080e1728f5388d36 SHA-256: d3fe01b981f539cb3228bfa7d48d9a060949af1c160b1891cd02a0cfe1b59d7b
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The ClamAV heuristic identified this PDF as 'Pdf.Phishing.Trojan-d2568dad23a94d95', indicating a phishing or trojanized document. The presence of multiple embedded URLs, even if some are marked as benign, suggests an attempt to redirect the user to malicious content or download further stages. The PDF structure also shows signs of manipulation with duplicate object bodies, which can be used to hide malicious content.

Machine Learning

  • Nyx PDF Classifier clean score 0.1797

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/nCRFBnYrBHY/square?utm_term=call+of+duty+ppsspp+iso
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec7fcbfa40056e74d1d5d1/1626111947577/pezamepawawesepebod.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e8f3f20a287971af9815d7/1625879538149/bosezinaparanewatas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bddc.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBDDC 16792 bytes
font_01_sfnt_off0000d5f3.bin
33b590e81e48c2aac8baf2df64a3cc77457d403639fe0425299bd93cdfe5eabe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD5F3 10400 bytes
font_02_sfnt_off0000eda8.bin
82315cfa60a73cd0a8cd4ee8e5231f116869c474d0e61906c3d9199c5df8c74a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDA8 17280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.