Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ad8877071f2e230…

MALICIOUS

PDF

712.6 KB
MD5: 91adb7d66f7cabd96be7b34cd39924dc SHA-1: 11f9ee4d65bd9fc0f6a3ab341a09b2a2dd5f6e7c SHA-256: 3ad8877071f2e2306edea3b341f42d85c8f4054211892b2339137e83c77a44f5
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains heuristics indicating it uses parser evasion techniques and embeds external actions, suggesting an attempt to trick the user. It also contains a shortened URL and a direct URL, both of which are likely malicious. The primary goal appears to be redirecting the user to a potentially harmful site.

Heuristics 4

  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off0000ae1d.bin
33b5ddd39f296af965633e6eaefca702757e307518e2110d335f65072cb183e5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAE1D 103700 bytes
stream_085_off00056af7.bin
06f6989e204a3b3038025cc33441e1a2f2a03fa0a1a425a6ae9f7e4422d85475		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x56AF7 172800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.