Malicious PDF — malware analysis report

Static analysis result for SHA-256 2028ad469146a18d…

MALICIOUS

PDF

87.4 KB Created: 2020-11-13 08:06:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f09a512b2b5b137aacb12ae763fa113b SHA-1: 1e6c04f8cceaf4e33d5a81fe712d062de4d24760 SHA-256: 2028ad469146a18dccbf88e74ada4e98eed86be3abd9a5a73b331bdd8d513d87
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URL pointing to 'trafffe.ru', which is likely used to deliver a malicious payload or redirect the user to a phishing site. The document body, though heavily obfuscated, suggests a lure related to 'Sushruta samhita pdf'. No scripts were extracted, but the presence of external URIs and the malware classification strongly indicate a phishing or trojan delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7410

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/strik?utm_term=sushruta+samhita+pdf
    • https://nuvisinuxaxo.weebly.com/uploads/1/3/1/3/131383681/gejasu.pdf
    • https://cdn-cms.f-static.net/uploads/4385633/normal_5f9c81f2d6f59.pdf
    • https://cdn-cms.f-static.net/uploads/4366055/normal_5f8c467ae8e88.pdf
    • https://bameveba.weebly.com/uploads/1/3/4/1/134108569/6709101.pdf
    • https://fawefugixizim.weebly.com/uploads/1/3/1/3/131383791/f4f0892d364d2c.pdf
    • https://cdn-cms.f-static.net/uploads/4391915/normal_5f98ee7157947.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/wexoteluwag/the_little_mermaid_cast_2020.pdf
    • https://uploads.strikinglycdn.com/files/d1a13ba6-4971-4a35-a88b-45d0aaf95a54/elite_dangerous_barnacle_forest.pdf
    • https://uploads.strikinglycdn.com/files/06888460-25e8-4b2c-af43-fdabfa173e70/71901244984.pdf
    • https://uploads.strikinglycdn.com/files/1b87c213-3bcd-4a08-92af-78291f52bef4/dajibab.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001414d.bin
ede077bcf9d936b2deabd1ca36e5cf164b77d75f1467ec74ab7a8d43bb048d6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1414D 2856 bytes
font_01_sfnt_off00014b78.bin
c55683b296f545fdb6b9f3f839280a7a433f0640584f58af73726c48275207a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14B78 5352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.