Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0c99b5c377097a3…

MALICIOUS

PDF

77.1 KB Created: 2021-07-16 15:04:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: cbe8983c879d1c0c2f5239eec14db544 SHA-1: 748141ff3bd22d620ab28418bcecdf67911d29d1 SHA-256: e0c99b5c377097a35c3e0f359535016433bd8f0dd8147585f8a09519b9b736c8
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The ClamAV heuristic identified this PDF as 'Pdf.Phishing.Trojan-d2568dad23a94d95', indicating a malicious phishing or trojan payload. The presence of embedded URLs, although marked as benign, suggests an attempt to redirect the user to malicious content. The file's structure and the detection name point towards an exploit being used for client execution, likely delivered via a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier clean score 0.1751

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/X6hrLWyzjlw/square?utm_term=which+one+of+the+following+statements+about+change+model+is+correct
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f073d0c358bb447606fe53/1626371024359/plants_turned_yellow.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb21.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB21 16792 bytes
font_01_sfnt_off0000e338.bin
2ee20b82fcc9d128839defcc2f985cc352af88c59f12f21deae600133c50a041		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE338 11240 bytes
font_02_sfnt_off0000fd39.bin
ed28ed4399964e5bbec7e2d26df0aad2cfd7d2459b68abc72971457fd7d84367		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD39 16496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.