Malicious PDF — malware analysis report

Static analysis result for SHA-256 febc62f7e3bbe771…

MALICIOUS

PDF

74.5 KB Created: 2021-07-14 02:53:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 3ffc6a04af162d34ed1b211e2c42d41f SHA-1: 1ed458d33074fe9fa9c243211b5b682f2ba37407 SHA-256: febc62f7e3bbe7717721ce0acda6835892b5767c10f266001692768dca7127a3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier and ClamAV detection strongly indicate maliciousness. The PDF contains embedded URLs, one of which is flagged as potentially malicious, suggesting a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the presence of embedded URLs and the PDF structure itself are often used to redirect users to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8907

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/0YvHz_IItD0/square?utm_term=formula+for+nth+term+of+arithmetic+progression
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ed782566c2900cf5615958/1626175525496/vitugowevutakatodo.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ec8656154eb17b684a4018/1626113622930/oyster_sauce_with_mushroom.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e920475fa2eb14b90bafa2/1625890887887/a_measurement_is_accurate_if_it.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ec816ae64ce537163497ba/1626112362391/house_bill_today.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ec783c5f604029b9904739/1626110012830/how_long_for_painted_turtle_eggs_to_hatch.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ee0cfeb1f8b95648820a4a/1626213630509/nanovejedarulapegevixawe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000becc.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBECC 16792 bytes
font_01_sfnt_off0000d6e3.bin
861f9ab8deff765d77980fa6e8d3c9339388d45a2e380a6c9035187cfe155589		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6E3 11004 bytes
font_02_sfnt_off0000f03d.bin
547f8d224cc73cadbacdfb17598412299fbcb0c0869315865fd8dc2d8f55f3b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF03D 17456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.