Malicious PDF — malware analysis report

Static analysis result for SHA-256 84a8b68b8886b25d…

MALICIOUS

PDF

119.3 KB Created: 2021-09-16 11:06:39 +01:00 Authoring application: Microsoft® Word for Microsoft 365 First seen: 2021-09-23
MD5: f8e7e4abc8452690e26c02b15d65ab3d SHA-1: 333d36c5fc3312c45f30c6466ddc7c2527be1232 SHA-256: 84a8b68b8886b25d7f98e51def48556eca2ea5fb4f5b2dff396f84e7566c16e1
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ClamAV. It contains an embedded URL that points to an external HTML file. While the document body is heavily obfuscated, the presence of the external URL suggests an attempt to redirect the user to a potentially malicious site for phishing or further payload delivery. No scripts were extracted, limiting the analysis of specific execution techniques.

Machine Learning

  • Nyx PDF Classifier clean score 0.0021

Heuristics 3

  • ClamAV: Pdf.Phishing.CWSda14c54d-9888623-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.CWSda14c54d-9888623-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://f002.backblazeb2.com/file/diplopteryga-forage-rased/index.html PDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • https://docs.microsoft.com/typography/abouthttp://lucasfonts.comMicrosoftIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
    • http://www.microsoft.com/TypographyIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00014ce3.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14CE3 102864 bytes
SHA-256: 5008fe1a38727c0e2e0d565c08769d0b178bebfb52564951bc9d6ccf1f86f7c3

Open this report in the interactive analyzer, or submit your own file for analysis.