PDF malware analysis — malicious · fd6394b42b6ef76c

MALICIOUS

PDF

90.1 KB Created: 2021-07-13 10:17:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 9b3c13a9f3836475a97c04c8cc84b080 SHA-1: 02a9d1f74c5853855af1fd8525b19e210ada3e8a SHA-256: fd6394b42b6ef76c4459236e574bb30dba3fa1fe59b98428b1467f4a36f3b980

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains embedded URLs that likely lead to malicious content or further stages of an attack. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to exploit users through deceptive content, aligning with spearphishing tactics.

Machine Learning

Nyx PDF Classifier malicious score 0.8627

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/gPkW7oTCsL0/square?utm_term=tren+ace+and+test+e+cycle
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e8ac38fc91e4447a648520/1625861176275/76592136158.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e92ed1e6a58043b6921b0a/1625894609151/96927983594.pdf
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ed2c2a6ebf0d48ea8cab23/1626156074974/24410850870.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ec8ff39c874e714248a676/1626116083768/motabuguveduxutulerirefav.pdf
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ecb6875b92cb3d5f9efe92/1626125959284/37013381098.pdf
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ed0bcd1c817c33f6d258cf/1626147789325/watukijogujugafolaru.pdf
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e7e6fc4aaab0286a8b088e/1625810685077/propanone_to_triiodomethane.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000fdad.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFDAD	16792 bytes
`font_01_sfnt_off000115c4.bin` `2fccf0765c4b983f39f0c4454a6ca1fd4632dc4145f0d684f6069c6fa07b6cc4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x115C4	10228 bytes
`font_02_sfnt_off00012ce1.bin` `ebe48c0689f8776d5dc749077f9b14f0b7d45916a2dda9241b4176c7bedda542`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12CE1	17940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.