Malicious PDF — malware analysis report

Static analysis result for SHA-256 0bda6571e2580aae…

MALICIOUS

PDF

81.5 KB Created: 2020-12-16 22:25:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: eaa5fe5a27ce5f27fd9934c4a7cb15b5 SHA-1: ef4ba06f6ddb1bcf2baba3628a3e639437691e9b SHA-256: 0bda6571e2580aaedfa2e0439ffb9e31a35130d16910170b1efec7fde1934ded
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains lures related to payment redirection and callback phishing, specifically mentioning 'Transfer amazon gift card balance to credit card'. The presence of an external URI pointing to 'traffking.ru' suggests a redirection to a malicious site. While no scripts were explicitly extracted, the ML classifier and heuristic firings strongly indicate malicious intent, likely related to phishing or financial scams.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/123?utm_term=transfer+amazon+gift+card+balance+to+credit+card
    • https://cdn-cms.f-static.net/uploads/4415334/normal_5f9b741ee8998.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/nilititonawafim/amyotrophic_lateral_sclerosis_guidelines_2015.pdf
    • https://s3.amazonaws.com/jajoxulabojaso/39315527149.pdf
    • https://s3.amazonaws.com/nokiwovowus/tumalesuga.pdf
    • https://s3.amazonaws.com/gowebabuxogiro/sample_email_request_for_more_information.pdf
    • https://s3.amazonaws.com/wiremeresegikon/fisilesopuwalajowotov.pdf
    • https://uploads.strikinglycdn.com/files/c30a3546-e7f4-40fd-993c-036e1b30b045/manual_for_frigidaire_gas_stove.pdf
    • https://uploads.strikinglycdn.com/files/1a431f27-40a8-49b0-a701-b34e42f49b31/ratabuxuzolovixizoruse.pdf
    • https://uploads.strikinglycdn.com/files/f0cbc600-2dca-4d1b-96c7-fa3005534a05/23786001690.pdf
    • https://uploads.strikinglycdn.com/files/718dca29-8b2f-4641-aeaf-79647eafa01e/bamoxisezeriwugob.pdf
    • https://s3.amazonaws.com/gofilafixu/jevidodamaxuxokidem.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e94c.bin
289bbd3c6bf0f79b0651f0c87439d1ed6476a8772bbf414093945721a9b4418c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE94C 5480 bytes
font_01_sfnt_off0000fbde.bin
c6c98a2b9b9e54a18e3c7f99a8f17290e4dc5538f9f59f5e01b5fbd2d51fa77a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBDE 11396 bytes
font_02_sfnt_off000122df.bin
f16dbd422885e1580008149b4bbb110a2d3c0f10b803cb773363523be76a13dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122DF 16284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.