PDF malware analysis — malicious · 11dc8a064cc38167

MALICIOUS

PDF

88.9 KB Created: 2020-12-18 15:13:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4ff7d7f1517fa3ef54693ab9d9704299 SHA-1: 1ff05e6360082a1e811e2b3f2abea808f6b8da33 SHA-256: 11dc8a064cc381672a3bf8cb846ba69378edd43411937b4c71e79562aab33291

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. An external URI pointing to 'traffine.ru' was extracted, suggesting a phishing or credential harvesting attempt. No scripts were extracted, but the presence of embedded URLs and the phishing detection strongly indicate a malicious intent to redirect users to a harmful site.

Machine Learning

Nyx PDF Classifier malicious score 0.9995

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffine.ru/aws?utm_term=broadsheet+and+tabloid
- https://cdn-cms.f-static.net/uploads/4454673/normal_5faad12219770.pdf
- https://cdn-cms.f-static.net/uploads/4403806/normal_5fd610a03efa3.pdf
- https://cdn-cms.f-static.net/uploads/4366401/normal_5f9cc26a88dfc.pdf
- https://cdn-cms.f-static.net/uploads/4386081/normal_5fdbd04ba4568.pdf
- https://cdn-cms.f-static.net/uploads/4371536/normal_5fa310a252d85.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.opentle.org
- https://uploads.strikinglycdn.com/files/e0b25a47-5110-4ecf-9f05-0098643c78f8/77797874274.pdf
- https://s3.amazonaws.com/pewebopufupe/miniclip_8_ball_pool_app.pdf
- https://uploads.strikinglycdn.com/files/feb3685a-0da9-49a1-a348-7f744f6dbbef/raliken.pdf
- https://uploads.strikinglycdn.com/files/4e72bb1d-c356-4db9-afe6-cd4b54fe673e/49035541712.pdf
- https://s3.amazonaws.com/labitajaxatufib/vulete.pdf
- https://s3.amazonaws.com/sefabe/basic_cover_letter_for_resume_template.pdf
- https://s3.amazonaws.com/zumomasugipeno/19809264440.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://www.gnu.org/licenses/gpl.html

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f608.bin` `b1975061fff95fdbf4f336e7fa6d07c0220bc3781947d10b6a5ca2c1963391d6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF608	6500 bytes
`font_01_sfnt_off00010c38.bin` `614d4e76d86dec4dff3b1605408e5d03059e5f767d29634caadaa383ff6e474e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10C38	5100 bytes
`font_02_sfnt_off00011d7b.bin` `16aca3cd6f195c103444e09948420df5ac15de83d96e08e2fa257f1a9e61a174`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11D7B	6968 bytes
`font_03_sfnt_off0001301f.bin` `b88a1a6df868337e17603db5323fb5bcc11b52317ef89adc30ad73a914ace187`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1301F	11340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.