Malicious PDF — malware analysis report

Static analysis result for SHA-256 f09e46f7a326b0de…

MALICIOUS

PDF

73.8 KB Created: 2021-07-13 12:48:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 0017fd14839575e6028ca0f311fa6cc7 SHA-1: 6d95ae138329c2d0411792482211799cba5e81fa SHA-256: f09e46f7a326b0de2b3dc733858b0a3a969e9867fcebde6fbe3209c932118778
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The ClamAV heuristic 'Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0' strongly suggests a phishing trojan delivered via PDF. The presence of embedded objects and the file's structure, despite the lack of readable document body text, indicate it's designed to exploit vulnerabilities or trick the user into executing malicious code. The SHA256 hash is included as a primary identifier.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2592

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/gPkW7oTCsL0/square?utm_term=toccata+in+c+major
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e8ce6b54da9c6696c559fd/1625869931985/frances_declaration_of_the_rights_of_man.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ed48894616123fc5f9588c/1626163338058/funniest_exam_answers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c288.bin
04fa66feb4a81dd066e90a15418b4b919c7bc9afbc5a1e47d58a93b3df1ae66c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC288 16304 bytes
font_01_sfnt_off0000ed30.bin
2afec017d68b524daa492cef23a3bad2936387583db099062060bf5e481acab8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED30 10140 bytes
font_02_sfnt_off000103bd.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103BD 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.