Malicious PDF — malware analysis report

Static analysis result for SHA-256 960e37152a980e61…

MALICIOUS

PDF

105.5 KB Created: 2021-02-22 06:26:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f420a2422dd5baae9c89100c873f548 SHA-1: 2c863a6b17f965b9947685f6bd95a7ebf2a65cfc SHA-256: 960e37152a980e615c9f140a394bc19705a804a79b07d2a3c6cb1e46c1a50d5e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a suspicious domain, likely for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though partially corrupted, suggests a lure related to 'Diagrama de instalacion de gas natural vehicular' to entice clicks on the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=diagrama+de+instalacion+de+gas+natural+vehicular
    • https://kexiwiwimibip.weebly.com/uploads/1/3/1/3/131379584/1293648.pdf
    • https://tifowufiwadoxi.weebly.com/uploads/1/3/4/0/134098290/5294609.pdf
    • http://artdebug.site/the_accused_full_movie_hdykxbk.pdf
    • https://zatenumidepav.weebly.com/uploads/1/3/0/7/130776458/lababizidijo-lopoguxujup-migodis-mavipakoger.pdf
    • https://fupodakabapamom.weebly.com/uploads/1/3/4/4/134489617/jorom.pdf
    • http://bbflowers.net/gujogigujudirulubytt8e.pdf
    • https://cdn-cms.f-static.net/uploads/4500677/normal_5fd96c65b08eb.pdf
    • https://cdn.sqhk.co/kewixoretuze/yuhfkAZ/strategic_financial_management_book_for_mba.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tugumeb/63935721204.pdf
    • https://s3.amazonaws.com/regufojalojaza/80791015291.pdf
    • http://povalimokuwov.rf.gd/21240035607.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015027.bin
4d3e90ee4fe0e7f0a02971d0b07a1b6258c846a91f22990ef7a3b02ab0b7b85f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15027 2140 bytes
font_01_sfnt_off000159c5.bin
23740ad3fe1b4cb5133f0454fbc6a9c975bcbd9dd5f3db83b933dfe70a8ab7c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x159C5 5412 bytes
font_02_sfnt_off00016c0d.bin
a634c24da6e031f4f6191c67488152556981b88b82347236e32d31ba555b0eae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16C0D 13204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.