Malicious PDF — malware analysis report

Static analysis result for SHA-256 23e9e1a95c9a2408…

MALICIOUS

PDF

74.5 KB Created: 2020-12-15 21:45:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b5ff42c7cbe648d1a0da7403eb15a374 SHA-1: ebed2c722f0705dd80f2285dfb2d8cf1cba0b8a0 SHA-256: 23e9e1a95c9a2408252f180680992cd7cb9c5a6b8cd29a6ca8def58ead9f51f5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'trafffe.ru', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to a 'Yin yoga book pdf'. No scripts were extracted, but the PDF structure itself is indicative of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/123?utm_term=yin+yoga+book+pdf
    • https://cdn-cms.f-static.net/uploads/4365582/normal_5f874755ec7a9.pdf
    • https://cdn-cms.f-static.net/uploads/4452851/normal_5fd0d41a5b37b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static1.squarespace.com/static/5fc0d3b00b6b03258f353712/t/5fcfcae628714b03f1bbca3c/1607453417094/minecraft_live_wallpaper_mobile_legends_download.pdf
    • https://uploads.strikinglycdn.com/files/0b532955-ba81-429b-94d5-03a518eee1a8/nokatedipegizusudunusu.pdf
    • https://uploads.strikinglycdn.com/files/894b57c5-d9d5-4e16-b937-493b63677795/charmglow_patio_heater_parts_thermocouple.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbcfab18cb11b25c09bd43f/1606220466138/75056086271.pdf
    • https://uploads.strikinglycdn.com/files/3d0706b3-0567-431c-8880-14766fa71b8e/73245098643.pdf
    • https://uploads.strikinglycdn.com/files/e278792d-b63c-496c-b80f-4ca24c6ecbd3/48391125800.pdf
    • https://static1.squarespace.com/static/5fce5bda5d43e676cbd596b1/t/5fd64d73ab1a676c728b26b4/1607880052918/fivelomononevenozoxerere.pdf
    • https://static1.squarespace.com/static/5fc13a23affbf90a66eca3c4/t/5fc307a24f98375720435912/1606616994854/manuxazaz.pdf
    • https://uploads.strikinglycdn.com/files/739edf82-5309-489a-9364-2c1d78ce8c74/sunbeam_microwave_sgb8901_manual.pdf
    • https://uploads.strikinglycdn.com/files/1fd5b21a-fceb-4254-8ab3-06076eebe5d2/tutesuxinejus.pdf
    • https://uploads.strikinglycdn.com/files/47ffd859-ee2d-4e55-82e3-a7ac83698ee2/jupaxorodezutagiw.pdf
    • https://static1.squarespace.com/static/5fc1129368612547ed5f20ea/t/5fc35705145a8629dc1b55db/1606637319526/cellular_transport_and_the_cell_cycle_worksheet_answer_key.pdf
    • https://static1.squarespace.com/static/5fc0cbc7c6d964583621a279/t/5fc3f745173fb5383b1e48bb/1606678342403/gajudabevobel.pdf
    • https://uploads.strikinglycdn.com/files/486f12c9-6068-4227-85f0-efcccbc3784a/bilifabo.pdf
    • https://static1.squarespace.com/static/5fc54a99f7cf8c754047cbac/t/5fd17fc0b91f50015ee4f3a2/1607565250531/87671111134.pdf
    • https://uploads.strikinglycdn.com/files/2483b652-939c-4f2b-88b6-70969fa7f9a8/xaxadojufexeminuwexuwato.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5bd.bin
dfc89bd2f38bbdb81d2a7e5ef76df65f7fa52b7835259cc6a206acb4799807c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5BD 5172 bytes
font_01_sfnt_off0000f77d.bin
62803bc0c5eab86fb9b20b4dfc05926d5f8bbd965d93dd64f10503d4443766e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF77D 11188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.