Malicious PDF — malware analysis report

Static analysis result for SHA-256 df30f6596a12bd96…

MALICIOUS

PDF

79.6 KB Created: 2021-07-13 21:15:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 0fd46fa367adba2b3c194dc31f811348 SHA-1: cb7b6ff7f7b61fc2a9157a75b24cef830be19ad2 SHA-256: df30f6596a12bd96afeb5eec543601089f9faaab7002f42d8ef8bb3062dce1ec
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains embedded URLs, and while the document body is heavily obfuscated, the presence of PDF-specific heuristics suggests an attempt to exploit PDF vulnerabilities or deliver malicious content. The primary attack vector is likely spearphishing attachment, with potential for further exploitation via embedded scripts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8374

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/uzX87CUNjRg/square?utm_term=definition+of+rural+area+pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ec8da097282d6f469108f8/1626115488292/minor_arcana_meanings.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ec7f6af89f8e700bf6f738/1626111851076/best_of_the_grinch.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e8f1a792abcc18c4f3d566/1625878951999/wejewokefosakajoxut.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ec920d7a6a16267649c9bf/1626116622119/hollym_holiday_park.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ec9dcabcf8be39b507b878/1626119627109/tapeworm_is_caused_by.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d4c4.bin
e642393d6ae38c39255f314783da0d6931d4e07760c02229fbfb61a01aec4ca9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4C4 10424 bytes
font_01_sfnt_off0000ec75.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC75 16792 bytes
font_02_sfnt_off00010487.bin
af8c16c616a8e3b285da99fcfc3661fd0d1c0f6ef61c8d41d28236f53b849293		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10487 17472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.