PDF malware analysis — malicious · fc87479d226e88f8

MALICIOUS

PDF

79.2 KB Created: 2021-07-14 02:27:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 89812984b0d6d5769c73a2ac2b6dfac3 SHA-1: e5e6f4d5763aaddbb9bda736b1140aeecfbd5392 SHA-256: fc87479d226e88f8ec72368d49128649ed1e4a1899d5ca31926b79efb46d3095

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected by ClamAV as 'Pdf.Phishing.Trojan' and flagged by an ML classifier, strongly suggesting malicious intent. The presence of embedded URLs, although marked as benign in this instance, is typical for phishing lures. The primary attack pattern is likely spearphishing via attachment, leading to exploitation for client execution.

Machine Learning

Nyx PDF Classifier malicious score 0.9478

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/-MXWpcYQ7kA/square?utm_term=five+themes+of+geography+pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ed95c850566b3f86655b34/1626183112730/46305065395.pdf
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e90777dc37083541b7bc38/1625884535248/thank_you_jesus_for_the_cross.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e8c3146955380ad9e6d925/1625867028870/water_resources_engineering_notes.pdf
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ededf2a4137771ba03c318/1626205682724/omphalocele_signs_and_symptoms.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e7cfe051cb2a526cfc2177/1625804768975/thermocouple_thermometer.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ee1e2c27fa864c7d0f5014/1626218028672/83933403914.pdf
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e8e3922c5c2f6215c5e64c/1625875346679/93435135889.pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e8f42cf107ff2467e7183d/1625879596949/94080231562.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d323.bin` `3616b0118372a3d406fcfb44feb9e95112bdeddd0d989c3e26992a87c88c2a97`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD323	10952 bytes
`font_01_sfnt_off0000ec60.bin` `0478c2774679efa15a2f5ec931a0bb228eae78e9dca0dc25732b64ec00c6d766`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEC60	16640 bytes
`font_02_sfnt_off0001172b.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1172B	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.