Malicious PDF — malware analysis report

Static analysis result for SHA-256 d849bae9e2fbe683…

MALICIOUS

PDF

74.3 KB Created: 2021-07-15 14:41:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: fccc3e6286ae0b64f0fbf751c94bd344 SHA-1: 76cd4a246ecc7d915d49db2b42ee0eec7a868ef7 SHA-256: d849bae9e2fbe68330250c1d49947a9aeee3a73046474240fbda5e76e9d5da23
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, despite some being marked as benign, suggests an attempt to redirect the user or download further malicious content. The PDF structure itself appears to be exploited, as indicated by the 'PDF_DUPLICATE_OBJ_BODY_INCREMENTAL' heuristic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7703

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/1LSSs5qy-i4/square?utm_term=the+devouring+gray+pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ee5314114e6b7b7de84b8d/1626231572985/33967798634.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ec83efc217102653d64f20/1626113007933/nulewunedikalu.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e8ec7c2a6f785f5831c5f7/1625877628738/four_by_veronica_roth.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c214.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC214 16792 bytes
font_01_sfnt_off0000da26.bin
fb30a2644bb53b97e1c81bbe4b90dd255f37b6dd1789d7f1b6ec6e108d457076		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA26 16668 bytes
font_02_sfnt_off0001053e.bin
585ee842e226f03f1d7304865c502d825e0b5dd6656c1bfe08d9f05149161ce0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1053E 10708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.