Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa4f114b93fc2e2e…

MALICIOUS

PDF

76.5 KB Created: 2021-07-13 22:58:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 34234d3e2ddd9a5e9d49ad38d9399c19 SHA-1: 637d6e2bb8da24fc651e53544b2c97de8fec6b42 SHA-256: fa4f114b93fc2e2e83b8bca56644d87dc3563d4e2fec5ff044e0f771cdcd7ea6
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ClamAV heuristic identified this PDF as 'Pdf.Phishing.Trojan'. While the document body is heavily obfuscated and unreadable, the presence of embedded URLs and the ClamAV detection strongly suggest a phishing or malware distribution attempt. The primary URL found, though marked as benign, points to a pattern often used in lures. The PDF structure itself contains embedded objects that could potentially host malicious scripts or exploit code.

Machine Learning

  • Nyx PDF Classifier clean score 0.1551

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/u8n3KCQdUYc/square?utm_term=red+claw+crab
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ec993e4f558d0bf39dc72c/1626118462983/ambitious_in_tagalog.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cd25.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD25 16792 bytes
font_01_sfnt_off0000e53c.bin
c9a2cdefc6708a185ad6aee64b02591b8364478d8a4aa65ab473d41bc322694b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE53C 10052 bytes
font_02_sfnt_off0000fbba.bin
6ab0322c8ba28c5f80e03af2db648fe45080e166a171cd286cc43f9fd77ccd95		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBBA 16716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.