Malicious PDF — malware analysis report

Static analysis result for SHA-256 de0a4bc2936df143…

MALICIOUS

PDF

105.4 KB Created: 2021-07-15 12:45:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 6a6bf4c9ace2c7bbed6e38eb632d57e0 SHA-1: ada9899e7e29f40b068a0bd2773804c86410da2f SHA-256: de0a4bc2936df143e33e9ee2279d129a8852d1eca1ea2e7e2f76188227b9da4f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by ClamAV and an ML classifier as malicious, indicating a phishing or malware distribution attempt. The presence of embedded URLs, though currently classified as benign, suggests an attempt to redirect the user to malicious content. No scripts were extracted from this sample, limiting the analysis of its specific execution behavior.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5511

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/5JeRQhMeIYg/square?utm_term=nelly+kane+brown
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ec893d72e2584f2463e45c/1626114365624/54466986574.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ee40597dee9f188f78bd68/1626226777256/vukixodamezuwifejuduz.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e7e6b1a3609a707bac8fab/1625810610417/zozagumiwapule.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ee403cb1dcdf258da81a83/1626226748912/40500563817.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60edf104ebcbe27d0c7fbfde/1626206468260/vujasarevuxajopinulajil.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e76a504fae2d22fbfe5716/1625778768606/16407285278.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001305f.bin
281ba3e9dfd6bce1077072b21e1d5e962fd1c6ff2dbcdebc3e3cc7897fb48756		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1305F 1828 bytes
font_01_sfnt_off000138ee.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x138EE 16792 bytes
font_02_sfnt_off00015100.bin
711af20a6f71a7068b44cd489b19ed31d710597f9e3092f46885a94ed747a21d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15100 18624 bytes
font_03_sfnt_off0001812f.bin
c069354300eb13a267e001436e4e945fd9c650c2e998e7432c60d93098cc0b18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1812F 10152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.