Malicious PDF — malware analysis report

Static analysis result for SHA-256 069cd1a5826185e4…

MALICIOUS

PDF

94.6 KB Created: 2021-03-15 23:41:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fe001859f7df4bf993bfd1937a323c7c SHA-1: d9da620b54d2496e952edd855bf3bc75fb70c03f SHA-256: 069cd1a5826185e4f756e9ec0113d84bc3b807afad0ad5dc3053af7000ce556a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL pointing to 'jacksth.ru', which is likely part of the phishing lure. Although no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest it's designed to redirect users to malicious content, potentially a phishing page or a further payload download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=bounty+hunter+tracker+iv+headphones
    • http://qunit.space/53370727303zcrcg.pdf
    • http://scoretdho.best/how_much_does_active_guard_reserve_makei4ro2.pdf
    • http://pitushok.fun/wazoxoliwejixenemenemejfu.pdf
    • http://ing-jobs-opportunities.com/27209841736erhyr.pdf
    • http://rankingcoach-apps.com/dudivzex6e.pdf
    • http://leqqurint.online/cuisinart_supreme_grind_automatic_burr_mill_ccm-16pc1bya26.pdf
    • http://boomerangoo.site/vuwonesev9z61.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://lodonevubepivor.epizy.com/fekelibawilawasof.pdf
    • http://gagupaxoz.epizy.com/buckingham_pi_theorem_nptel.pdf
    • https://s3.amazonaws.com/wovigebi/amiga_forever_iso.pdf
    • http://valamujunitun.epizy.com/haryana_b_ed_scholarship_form.pdf
    • http://zeduxutebepirob.epizy.com/58398904636.pdf
    • https://uploads.strikinglycdn.com/files/00da7918-e1bd-4637-b5d3-2b0f9c0ed324/can_you_burn_patchouli_leaves.pdf
    • https://uploads.strikinglycdn.com/files/9750d0ae-2b29-4f79-908d-050fbdc650c8/bewujipu.pdf
    • https://uploads.strikinglycdn.com/files/97967a14-90c1-4acb-86cb-da15408bf5d1/samsung_rugby_4_unlocked_india.pdf
    • http://xupiwepe.epizy.com/barriers_and_breakdown_in_communication.pdf
    • http://pevukotexape.rf.gd/mewoxavowut.pdf
    • https://s3.amazonaws.com/xakajoziwibi/usps_media_mail_rates_chart.pdf
    • https://uploads.strikinglycdn.com/files/1749dd82-dc11-4601-b980-266b0ed65bf8/how_to_fix_code_35_thermo_king.pdf
    • http://dalumawinalejat.epizy.com/tevatumisu.pdf
    • https://uploads.strikinglycdn.com/files/a322718d-f831-416e-8520-4bead5bae21d/1102146551.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010015.bin
91838cdcd5e0aafc5bf0af0349e66d06387e1551d24a013491c16510681f740e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10015 6424 bytes
font_01_sfnt_off00010ff7.bin
dbc142c3a5af7e88d61488c88c71f2717040d61b952eda3136eab458c46b32b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FF7 5404 bytes
font_02_sfnt_off00012259.bin
bda46a189ab5ca82e9a2dfbdd44eacc5857f8d08cd207523bdafa5b6a969d3e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12259 2504 bytes
font_03_sfnt_off00012d3c.bin
3ce03d990fa10774460219cfa5ad0943ee05a2f7365de3b7bc2ab4ed47cb7cde		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D3C 11648 bytes
font_04_sfnt_off0001550b.bin
333c6b7950143ef5b768b9d621755905cb9f9f437be433e332b6baa8edb2b5fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1550B 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.