PDF malware analysis — malicious · fd870020d81cb169

MALICIOUS

PDF

74.8 KB Created: 2021-07-13 23:34:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: e8b69500d719e112dbc07844132e6e1a SHA-1: 94d08c423dfcd681436fa68219e9c2a673743a7a SHA-256: fd870020d81cb169e39daac911adb67f5d261dc6f50b154d5330718db15bb729

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, though many are confirmed benign, suggests a potential phishing or credential harvesting attempt. The file's structure and detection by multiple engines point towards exploitation for client execution, possibly via a PDF vulnerability.

Machine Learning

Nyx PDF Classifier malicious score 0.7746

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedproxy.google.com/~r/sq/ugae/~3/k6oGaauGqGM/square?utm_term=convert+pdf+to+word+for+mac+online
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ed9e8558c2e000956163ff/1626185349198/404_essential_tests_for_ielts_answers.pdf
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e8e9763b7e7c63344d4473/1625876854778/lenze_8200_smd_manual.pdf
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e93b4af492d21a0f6bb02e/1625897802375/sovizulomanu.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60edc99780caa629c1d9f88b/1626196375954/new_pan_card_application_form_2020.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c695.bin` `4b77b19867fce6fe49d384709bf0cbb5c2b1a15469150dde3a3bee52c63f3f3b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC695	15528 bytes
`font_01_sfnt_off0000ee71.bin` `42bc88312dab66edcc24dcf6982384076a1d7b18ecdf3f4abfb1337f6d133426`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEE71	10796 bytes
`font_02_sfnt_off00010763.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10763	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.