Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c2d4a378c52a402…

MALICIOUS

PDF

85.7 KB Created: 2021-07-18 20:58:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 276a371c1f6ee6f1d742361ce51fa7c7 SHA-1: 995d5672092224ec180fd8df7ad793dc8fb84833 SHA-256: 8c2d4a378c52a40277d49b5cda34b894bc7af6cf39140392791260de7d7f49a8
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is detected as a PDF phishing trojan by ClamAV. It contains an embedded URI that points to a URL, which is likely intended to redirect the user to a malicious site. While no scripts were explicitly extracted, the PDF structure and the presence of embedded URLs suggest an attempt to exploit user interaction for malicious purposes. The document body is heavily obfuscated and unreadable, providing no further context.

Machine Learning

  • Nyx PDF Classifier clean score 0.1529

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/AG-UZpNbJGc/square?utm_term=what+three+chemical+elements+are+the+building+blocks+of+carbohydrates
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f279f11db272198f8e3ff8/1626503665770/electrical_books_download.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f3ad336c177f33d7a6eb49/1626582324051/finding_faith_in_christ.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000e8c4.bin
9bacca8ee0a0fdb282a7f8ec4ab4cbf162d43d5bba9ff99600fc3d8bff08c78a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE8C4 11364 bytes
font_01_sfnt_off00010327.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10327 16792 bytes
font_02_sfnt_off00011b39.bin
05d6fec707ee39b6fb4fa8c3ab9720ac67795e66911a771852c7f5b8e0bec02a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B39 17308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.