Malicious PDF — malware analysis report

Static analysis result for SHA-256 8827cdb0db4d289e…

MALICIOUS

PDF

311.9 KB Created: 2021-07-17 07:46:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: e664dfa07d27d016c12b26b144115e86 SHA-1: ff8496f5244c7ab8fb9274fa8cc98bb22ec3ad42 SHA-256: 8827cdb0db4d289ea6b26ae4247c6b2a3d10696193a5eac63e4e8fe6e086446f
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The ClamAV detection and the presence of embedded URLs strongly indicate malicious intent, likely for phishing or malware distribution. The PDF structure and embedded artifacts suggest it's designed to exploit vulnerabilities or trick the user into downloading a secondary payload. No scripts were extracted, limiting the analysis of specific execution methods.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3308

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/sq/ugae/~3/CHqDoFjlE84/square?utm_term=guns+germs+and+steel+pdf+indonesia
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ee75790a53c127f5dbf469/1626240377355/vuxexaladorerijat.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60f11d91008c226a94251433/1626414482508/neluzimuzuxume.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ed2ba567dd777ebfbe7620/1626155941283/10232850195.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec823a0cf33f708d7a46da/1626112570821/apa_referencing_7th_edition_website.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60edbd5d36d51704235d3c5d/1626193245509/zinodizojijomo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000466b3.bin
68f28db04f13fa4b89864ac2854d52f00932a92bf0a1cc5a6d17e5059ba40090		 pdf-font-stream PDF embedded font (sfnt) at offset 0x466B3 10980 bytes
font_01_sfnt_off00047ffa.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x47FFA 16792 bytes
font_02_sfnt_off0004980c.bin
1862071f5de2de0a56450dc774f0fa78ecb0788195c73dce1828b07a8e095f99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4980C 22380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.