Malicious PDF — malware analysis report

Static analysis result for SHA-256 60628b615dcb120a…

MALICIOUS

PDF

97.1 KB Created: 2021-07-22 00:37:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: b948fcdceac8df75762a1b0d8464c72e SHA-1: 5c821816c1d7c2f2d4f75b7e7bcc6171809296d1 SHA-256: 60628b615dcb120aae3a59aae1d8fbf714c5991f02bf4238a136b4ca2a9c5fba
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to a suspicious domain, likely intended to trick the user into visiting a phishing or malware distribution site. No scripts were extracted, but the presence of the malicious URL is a strong indicator of a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/square?utm_term=all+aerobic+exercise
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec97979cb57f380a79644d/1626118039644/mosasebazetikazewemegu.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f0a156ea016413562194c9/1626382678292/4753073936.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ee72d786aa876280bfbe75/1626239703661/sikikope.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f5c39a4235824183bb084b/1626719130699/division_word_problems_grade_1.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f7bd5471a51f05554441eb/1626848596711/20181530951.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f74efb66503670f34f8a67/1626820347530/28860760183.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f3d21726c2747482e4f376/1626591767770/pint_of_lager.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f3a66cce637c25833e3423/1626580588237/intouchables_watch_online_free_english_subtitles.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e8d1d3de2d3f60151182c3/1625870803253/gymnosperms_and_angiosperms_worksheet.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec92867b14134336dde3c7/1626116742316/songs_about_love_and_distance.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f78c0495055530dd15f857/1626835972882/nepuxagemut.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60eca4035f8bf9690720ef76/1626121219880/strong_woman_synonym.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f8703ce344e14b63315eab/1626894396576/bullet_force_unblocked_at_school.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f3c45e54c26a0cc3008ef4/1626588254111/pawes.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f65beebace2302b51a8a9c/1626758126850/adult_teacup_chihuahua.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e86fc6e0b7df382a7f2ec9/1625845702996/zafesedutedemepelemufezuv.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60ecb126c4d2886679e32fe4/1626124582217/breast_clinic_appointment.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f76d245834cb689884c20a/1626828068683/protons_were_discovered_by.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f56457bb7e64222d1071ab/1626694743423/6137423573.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e8cccb4c181567023ce574/1625869515266/leather_revolver_holster_patterns.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011874.bin
725f2d10805b8aa87e3a5285571f1596bb8258e9cad70bf4f5b9a3309b781886		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11874 18036 bytes
font_01_sfnt_off0001471e.bin
4a98f196dd11d6a90ce1e2da4372a01348cea9a7167a0261ad4374b4dfcc15e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1471E 10244 bytes
font_02_sfnt_off00015e41.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15E41 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.