Malicious PDF — malware analysis report

Static analysis result for SHA-256 18b774ea39c46476…

MALICIOUS

PDF

73.8 KB Created: 2020-12-17 12:41:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1561941d1721ab8795e9db14fae68e95 SHA-1: 101279c61b7bccb3e4aec0d224dc362208c24b72 SHA-256: 18b774ea39c464769fb5906ace6df15b37a81461d1a70b54e62016184f1d02f7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to a suspicious domain, trafffi.ru, which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, appears to be related to 'linear programming', suggesting a lure to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/strik?utm_term=linear+programming+two+phase+simplex+method
    • https://cdn-cms.f-static.net/uploads/4372719/normal_5f97567d19a85.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static1.squarespace.com/static/5fc389708787e879897c9404/t/5fc57136e18c5c478eb3bd75/1606775096754/33028207480.pdf
    • https://s3.amazonaws.com/tuxexi/vcop2_game_for_android.pdf
    • https://uploads.strikinglycdn.com/files/512c6b8a-b033-44e7-8a63-a5be3cb7e677/81699004456.pdf
    • https://s3.amazonaws.com/jadudusujuje/97497431422.pdf
    • https://uploads.strikinglycdn.com/files/56128eb8-6551-43dd-b621-21bda3047ca0/pathfinder_multiple_metamagic_rods.pdf
    • https://static1.squarespace.com/static/5fc0e90c27a199023ab56552/t/5fc21b82fa04221c71677f2a/1606556549283/is_a_consequence_always_negative.pdf
    • https://uploads.strikinglycdn.com/files/2999c140-e6bb-4f51-9d74-9055ebb96d73/6905999207.pdf
    • https://uploads.strikinglycdn.com/files/33aa9feb-e429-4f75-be78-bbf9ca6acb4a/nateke.pdf
    • https://uploads.strikinglycdn.com/files/4a1de49c-3d3f-4228-b544-b6712c0fa948/dejuwi.pdf
    • https://static1.squarespace.com/static/5fceba72f527e820f03c2469/t/5fd6a781acac596b0cc5e240/1607903105521/54361754037.pdf
    • https://static1.squarespace.com/static/5fc566ac3dfdd95b60f3409b/t/5fd62f13de5b1220c0244932/1607872276947/tuvigumadinebegere.pdf
    • https://static1.squarespace.com/static/5fc1701a3dfdd95b60d8e131/t/5fca6a240cfcdc6e7f0bb36e/1607100965262/blaze_obstacle_course.pdf
    • https://static1.squarespace.com/static/5fc0d0065e8e827d428d60b5/t/5fc2fb12a97599144e5a8d91/1606613783298/what_does_ily_mean_on_snapchat.pdf
    • https://s3.amazonaws.com/mesixadelomomo/waingels_6th_form.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cce4.bin
027836de0f207adb2ef99ed379aa91d760762976cbcc3e0eb146542e6e0e7571		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCCE4 5472 bytes
font_01_sfnt_off0000df73.bin
b27a2c7e40ea450ad763cab7d2e75dac5de91cb19864e153a4c8437df776fd54		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF73 10908 bytes
font_02_sfnt_off00010512.bin
4df0d9c347762b6f342075c20489a734af01dbbab0c86c2c07b37e080450e225		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10512 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.