PDF malware analysis — malicious · 05a1b1aa1e038111

MALICIOUS

PDF

65.7 KB Created: 2020-12-25 21:48:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: afa7520c30e6213b18c06e27f4571557 SHA-1: 2e1438db37339cd5e2b1632c691ee0db0dd6bcc8 SHA-256: 05a1b1aa1e038111cf784f321e1359613e07ae1493ad103f80cdf4a9622b615d

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'traffine.ru', which is likely a malicious domain used for phishing or malware distribution. The presence of a download button lure further supports the phishing attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffine.ru/strik?utm_term=mega+ramp+impossible+stunts+3d+unblocked
- https://cdn.sqhk.co/biwezabob/jgiiBgh/veziporovakeget.pdf
- https://cdn-cms.f-static.net/uploads/4425929/normal_5f9b1f8fbbd00.pdf
- https://cdn-cms.f-static.net/uploads/4414867/normal_5f9c66d708791.pdf
- https://cdn-cms.f-static.net/uploads/4367621/normal_5f898764ec4ee.pdf
- https://cdn-cms.f-static.net/uploads/4455183/normal_5fb7b6b3f3e74.pdf
- https://cdn-cms.f-static.net/uploads/4370540/normal_5fbf455faeb47.pdf
- https://cdn-cms.f-static.net/uploads/4410015/normal_5f943b1a0c762.pdf
- https://static.s123-cdn-static.com/uploads/4427793/normal_5fcf4a6905d7f.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/kavugusepe/filmes_online_gratis_em_portugues.pdf
- https://uploads.strikinglycdn.com/files/a9f7be7a-0221-4a6d-a875-59a582b25bb2/51827644125.pdf
- https://s3.amazonaws.com/welanisowari/56114205167.pdf
- https://s3.amazonaws.com/bodepova/94583981752.pdf
- https://uploads.strikinglycdn.com/files/17d2e806-9aaf-4244-8c72-a87d38bf0eea/35017825914.pdf
- https://uploads.strikinglycdn.com/files/bb68abeb-cb8e-4a69-90f1-bcc1b40fbb6c/vibavapadonuro.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c3a1.bin` `de050d8ecc08290e83c1f2b9497821520f397a8e21fdfdf998fb38105ed15fc2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC3A1	5768 bytes
`font_01_sfnt_off0000d735.bin` `12e3889223c7f171b56736caf20e2a1653c5128dc80fb15f070562d2f24d93f2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD735	10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.