Malicious PDF — malware analysis report

Static analysis result for SHA-256 171caf62d8625e94…

MALICIOUS

PDF

64.6 KB Created: 2020-11-19 02:04:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3f816e72e015520aa6cab8a051f01c8b SHA-1: 1fcd372b1533aefb6ea0605083e18da07d9e6f53 SHA-256: 171caf62d8625e94321c7006cb92c5ea87300b489e37034ddadd9b5ac4512b24
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. An embedded URL points to a suspicious domain, likely for phishing purposes. The PDF structure itself contains obfuscated content, suggesting an attempt to conceal its malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9905

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/123?utm_term=glm+80+manual
    • https://mezuminekafowiw.weebly.com/uploads/1/3/4/3/134346911/kipewefebepim-jesifux-mixituwevafod-vexor.pdf
    • https://lotetirupaxep.weebly.com/uploads/1/3/4/0/134013035/73fe243e.pdf
    • https://cdn-cms.f-static.net/uploads/4388174/normal_5faf93fe55711.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/ab6170d7-538a-4f05-8cae-83ff1f12b6a5/30835887523.pdf
    • https://uploads.strikinglycdn.com/files/416fdf97-c4e4-4dea-8d2b-5daa50b15e27/the_road_to_character_free.pdf
    • https://uploads.strikinglycdn.com/files/c78e754e-db3d-43ef-ad48-2be93378bddc/veraririwetenamuzemuvojuw.pdf
    • https://uploads.strikinglycdn.com/files/0796f2f8-26d2-4959-9f7e-27a1f7170b70/environmental_engineering_fundamentals_sustainability_design.pdf
    • https://uploads.strikinglycdn.com/files/9e1b051a-6dd0-4c64-ac3d-cf3ef0459a3f/destiny_2_opening_shot.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ab3c.bin
5cc589a0d8be2bcf5985eafdd1a325be0976462ca9753752c0c5907fb3f98f15		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB3C 4452 bytes
font_01_sfnt_off0000ba2b.bin
a1827a9fb7f9bbc19a387e3f799303b7952d05bca01836db26d2596fced8a97b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBA2B 14008 bytes
font_02_sfnt_off0000e688.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE688 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.