PDF malware analysis — malicious · 1dd0dec78c894c48

MALICIOUS

PDF

74.0 KB Created: 2021-01-16 17:11:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5e3bd1da5e87f9fcc5ac4b0ae44aa00c SHA-1: 7392eed00cb4254287c3847fb1bb11dfdc5259e9 SHA-256: 1dd0dec78c894c48160cbfd4c10626d414f286c492d73e4380980673af2405d4

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by a ClamAV signature and an ML classifier, indicating a high likelihood of malicious intent. The presence of an external URI pointing to 'traffine.ru' suggests a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF format and the nature of the heuristics suggest it could be used to deliver a malicious payload or redirect the user to a malicious site.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffine.ru/123?utm_term=importance+of+banks+in+india
- https://cdn-cms.f-static.net/uploads/4393044/normal_5fc0cad1ede07.pdf
- https://static.s123-cdn-static.com/uploads/4459917/normal_5ff1df4bf1049.pdf
- https://cdn-cms.f-static.net/uploads/4460230/normal_5fb2c5e226978.pdf
- https://site-1171599.mozfiles.com/files/1171599/4530499155.pdf
- https://cdn-cms.f-static.net/uploads/4419822/normal_5faffdb948637.pdf
- https://site-1242757.mozfiles.com/files/1242757/auxiliary_verb_worksheets_for_grade_2.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/geraromu/wufadiga.pdf
- https://s3.amazonaws.com/gixirojozogufux/rijinenoxobupa.pdf
- https://s3.amazonaws.com/jotizifime/sobopudaxuzurezasajum.pdf
- https://s3.amazonaws.com/ganubatebedoxez/xotanekebonoruzob.pdf
- https://s3.amazonaws.com/varolexexus/16968872373.pdf
- https://s3.amazonaws.com/subopukomanaw/66210595098.pdf
- https://s3.amazonaws.com/tejuvonixag/bd_chaurasia_handbook_of_general_anatomy_free_download.pdf
- https://s3.amazonaws.com/niporofez/uniforme_mais_bonito_da_copa_2018.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e482.bin` `8fbb528d6ab64c49009b239b69479c7aba966b12aef79055812e2620cb00baf1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE482	5412 bytes
`font_01_sfnt_off0000f6cd.bin` `6b41283be9f0c2741de4349814ad6d7c30173462b7a72dfd43f8d660b727a813`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF6CD	10652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.