PDF malware analysis — malicious · 21baecb7948932dd

MALICIOUS

PDF

79.7 KB Created: 2020-12-28 17:58:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 049c3d46441361f976519b0758270c28 SHA-1: c1bb9c927fe2bc9ab82d5d212f669fe93da57167 SHA-256: 21baecb7948932dd5865a8c885fe387cee8cba05c13c4bee1e762c7e9634cfb1

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. The document body, though heavily obfuscated, contains text suggesting it is a 'relieving letter sample in word format' and includes an external URI pointing to 'trafftec.ru'. This combination strongly indicates a phishing lure designed to trick users into visiting a malicious website.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafftec.ru/aws?utm_term=relieving+letter+sample+in+word+format
- https://cdn-cms.f-static.net/uploads/4385434/normal_5f8e7144eb35e.pdf
- https://cdn.sqhk.co/rodesedaded/oibXihd/vukorani.pdf
- https://cdn-cms.f-static.net/uploads/4382430/normal_5fa4eada94d7f.pdf
- https://cdn-cms.f-static.net/uploads/4408983/normal_5f9fe5180d44e.pdf
- https://cdn-cms.f-static.net/uploads/4389387/normal_5fa24bbadb0a9.pdf
- https://cdn-cms.f-static.net/uploads/4416153/normal_5fd9492f080be.pdf
- https://cdn.sqhk.co/dutebevon/fieRjan/pumogimulaweretamewurujom.pdf
- https://static.s123-cdn-static.com/uploads/4370275/normal_5fca44926fb17.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/jejulurowev/xuxotuduvisabevorifu.pdf
- https://s3.amazonaws.com/lawakux/gasedijas.pdf
- https://s3.amazonaws.com/pivetuzadujo/zopov.pdf
- https://s3.amazonaws.com/tixedujegibex/serena_lasagne_sheets_recipe.pdf
- https://uploads.strikinglycdn.com/files/d82dba8d-cdbe-4ccd-8392-249064901289/nomidewokasiromebetewoj.pdf
- https://uploads.strikinglycdn.com/files/ff1eb750-65da-46e6-ba5b-d1d92fb78078/gatexawedo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f89d.bin` `dceeb0fc6af03df1330587c0058d19c4cd8a1045fd9326b5d801509b7ef0843f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF89D	5520 bytes
`font_01_sfnt_off00010b6e.bin` `f3810e3edae8e4b57aae8fdfaf128b9eead8e1862c039836204f5f7ced326870`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10B6E	11316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.