Malicious PDF — malware analysis report

Static analysis result for SHA-256 13e75904061b8146…

MALICIOUS

PDF

69.3 KB Created: 2020-12-21 07:50:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6dfb123ce56420c485f51c2617dd8721 SHA-1: 79862e90381ec1c1df14ecca40f68d2ab659dae6 SHA-256: 13e75904061b8146286fbe1ef762c5f2d8b2239979be16414c1839eda46c32b1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely intended to host a malicious payload or phishing page. The document body, though heavily obfuscated, appears to reference game-related content, suggesting a lure to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/strik?utm_term=hill+climb+racing+2+monster+truck+fully+upgraded
    • https://widufosonetorif.weebly.com/uploads/1/3/4/5/134598319/ruvidumerofakade.pdf
    • https://cdn-cms.f-static.net/uploads/4388598/normal_5f8e3c03d8b2b.pdf
    • https://bozaxadoduzake.weebly.com/uploads/1/3/4/3/134306622/nupufonazomiv_jukopu_rajonez.pdf
    • https://texanajak.weebly.com/uploads/1/3/4/0/134018539/pakofigalalis.pdf
    • https://gavawujag.weebly.com/uploads/1/3/4/3/134370084/4461083.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3ff69210-315d-4e03-84bb-b407b4fac28e/vulotaja.pdf
    • https://static1.squarespace.com/static/5fc0f975bf71053ccb109642/t/5fc163327acac6192af4c14e/1606509363066/midagoje.pdf
    • https://uploads.strikinglycdn.com/files/eaca5b46-5cdc-4645-bbfd-7c40257e41af/lixase.pdf
    • https://uploads.strikinglycdn.com/files/6d375400-3f06-4831-87bd-f0024d8c952c/90526690229.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d123.bin
15f6ec7478e2ad120ec1b691049d8a711a21bc8e748fd722ac96673957263cae		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD123 5876 bytes
font_01_sfnt_off0000e513.bin
6a3a37f789a921b57fe1fdc9aa9214392018f316823ab6c004658972ec7c8856		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE513 10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.