Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1d19f34b37fcb34…

MALICIOUS

PDF

75.4 KB Created: 2021-07-17 02:43:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: fd99b6ccb362a3feaa9ac27ec5630d30 SHA-1: fa1d0097cd03a7af93f5d1b0ee9fb7b61871dde8 SHA-256: f1d19f34b37fcb344b1694133ff321bb6a8dd532626e54067893c1a48c0deaf3
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected by ClamAV as Pdf.Phishing.Trojan, indicating a phishing intent. The presence of embedded URLs, although marked as benign in this analysis, suggests an attempt to redirect users to malicious sites. The PDF structure itself contains elements that triggered heuristics related to external URIs and duplicate object bodies, which are common in malicious PDFs.

Machine Learning

  • Nyx PDF Classifier clean score 0.2489

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/UQ8tT55rDuk/square?utm_term=unitary+and+hermitian+matrices
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ee4d643753dc428c896964/1626230116432/xemazero.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f21940b883f70e9c6eae68/1626478912449/63500940868.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c20a.bin
cca57e9074af499c3a3303cfe190b3a040109e244a13340702e0f95af4102359		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC20A 17952 bytes
font_01_sfnt_off0000f1cc.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1CC 16792 bytes
font_02_sfnt_off000109e3.bin
f25d61884186a1b8333d438d3e2ec1daec158655611184226fa7d4e069c515d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109E3 10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.