Malicious PDF — malware analysis report

Static analysis result for SHA-256 b60f875cd31699df…

MALICIOUS

PDF

98.0 KB Created: 2020-12-21 06:44:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d4998fbdbaf57e1ed6d66b0a873c4d34 SHA-1: 100d4f6e1d0f0b54fc9d5089f6bd050d92262327 SHA-256: b60f875cd31699dfd6c4aec3b843c5656fd125074dc3e9f9cfddf9a35b4e4208
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URI points to a suspicious domain, suggesting a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and URI are strong indicators of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/strik?utm_term=the+king+of+fighters+movies+list
    • https://cdn-cms.f-static.net/uploads/4421217/normal_5fd3afb25733d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/robumuduluwise/male_names_for_flowers.pdf
    • https://s3.amazonaws.com/gaxuremewuger/wutekofimusozalinopifewi.pdf
    • https://uploads.strikinglycdn.com/files/405069b5-2587-4c5b-8858-f41b905e32d8/jiwarasopapoxo.pdf
    • https://uploads.strikinglycdn.com/files/0df7e839-2dfa-4deb-b0ce-7abea9de734a/gemakefugevunurekeb.pdf
    • https://uploads.strikinglycdn.com/files/fcaec1d6-a100-4ae5-8e41-5fa05cfe5561/fujewakopag.pdf
    • https://uploads.strikinglycdn.com/files/cc913e0f-136d-4d87-880d-9c2d2952aaca/tuzutefejirug.pdf
    • https://s3.amazonaws.com/dobesogum/attendance_sheet_format.pdf
    • https://uploads.strikinglycdn.com/files/9d471884-0ecf-49ea-b8c5-1bf0b985110a/nabedatatuduxovasole.pdf
    • https://uploads.strikinglycdn.com/files/84a644ad-7c6b-463e-b4ac-5e1d0b641152/sesujilatejadebipaw.pdf
    • https://uploads.strikinglycdn.com/files/39786e52-2dc6-4943-9aec-977334e1d20d/91609899920.pdf
    • https://uploads.strikinglycdn.com/files/656fd1fc-9343-44f1-b32b-f285701685f0/castlevania_gba_rom_hacks.pdf
    • https://s3.amazonaws.com/tazopaju/citra_android_apk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013470.bin
4c82f87c2384523b65aae7ca697802a27d029c94dc469c02fca0115909c3a552		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13470 5044 bytes
font_01_sfnt_off00014580.bin
075f8df929f01444d2d06b16617f1654568879f441b3229430312bee79f6c53d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14580 16872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.