Malicious PDF — malware analysis report

Static analysis result for SHA-256 27cb763f67d2e120…

MALICIOUS

PDF

84.0 KB Created: 2021-07-16 21:48:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 11b92fb64cb812ed51ce92f75048c2f6 SHA-1: e777d159cb493d225841db919234d7db02304658 SHA-256: 27cb763f67d2e12019364e0990319505d57f3b07b75115c1cf5435886c45abd5
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded URI pointing to a suspicious domain, which is flagged by ClamAV as a phishing trojan. The document body is heavily obfuscated and appears to be generated by wkhtmltopdf, suggesting it's not intended for direct user reading but rather to host malicious content. The presence of an external URI indicates an attempt to redirect the user to a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier clean score 0.0408

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/square?utm_term=polymath+meaning+in+english
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e853dec7e8270008042b78/1625838558606/graduation_friends_forever_cover.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60eca57f0f7d8d50062efce7/1626121599471/buvovekuzesufixalililiz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c063.bin
db5b67432e0b1ec341b96ca48ee0bc4d00e6cc27032f6c0fb783a9b85c01d459		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC063 10568 bytes
font_01_sfnt_off0000d859.bin
8bfc5e2f6383778b4716e60c732a7e5228106b692ca52c1f6b3c0b2892049825		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD859 16060 bytes
font_02_sfnt_off0000ed6c.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED6C 16792 bytes
font_03_sfnt_off0001057e.bin
23e6c2eb8bfa7146945fe51ae4f73ae605a23e77169a37ac7f27be6a1dacb962		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1057E 20112 bytes
font_04_sfnt_off00013874.bin
b3436f7820649f1c95cbc56d3654b6fb3077b83f6f6a5dca79812ea9230accac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13874 2064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.