Malicious PDF — malware analysis report

Static analysis result for SHA-256 efe479b72277dfac…

MALICIOUS

PDF

79.9 KB Created: 2021-07-20 10:52:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: e3efa632a87c3b144685627c97b305e7 SHA-1: e02f6abfb84f0e6d7001a0d1295769c52a315dfe SHA-256: efe479b72277dfac5721745f8ee567afbe2e2783624e21e7a447978cb78f7eb7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as a malicious PDF, likely a phishing trojan, based on ML classification and ClamAV detection. It contains embedded URLs, suggesting it may attempt to redirect users to malicious sites or download further payloads. The presence of PDF_URI and EMBEDDED_URL heuristics indicates attempts to interact with external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6556

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/-MXWpcYQ7kA/square?utm_term=what+is+point+line+line+segment+and+ray
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ec90c27dc7460dd09bdce4/1626116290895/61863128647.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ee64f2e03b615e099089f4/1626236146653/25146093924.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f46719a047b636122f94be/1626629913195/synonyms_of_intelligent.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d4f9.bin
bb486019b46f3243252da74c9c295144478ed33516ebac859728d7f2ea570e60		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4F9 17368 bytes
font_01_sfnt_off000102c4.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102C4 16792 bytes
font_02_sfnt_off00011adb.bin
80e8eec7b5facfb5ef1d5a7dc1738400928bbd1e08605bfb621524ddde00f786		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11ADB 10948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.