Malicious PDF — malware analysis report

Static analysis result for SHA-256 397947229146a033…

MALICIOUS

PDF

67.7 KB Created: 2020-11-24 13:45:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf254b0f82e4446aab7dba45e1f99d9a SHA-1: d27f5cf75c50ba9e3698e41141123f88441d8c8f SHA-256: 397947229146a033e0e54f4b1ef90d1ff61fef7a9045ab220c58e076f6ca05c9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, traffset.ru, which is likely part of a phishing or malware distribution scheme. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site, potentially for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/123?utm_term=harry+potter+horcrux+cave
    • https://cdn-cms.f-static.net/uploads/4384149/normal_5f8e6bc279e8b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0ec7d9cc-91d9-4b8d-bae1-22f8cf910ca3/wifoxiluwoxanusikipo.pdf
    • https://uploads.strikinglycdn.com/files/cd4bb73f-3ffe-4e54-8f68-75e04f005de2/kamen_rider_decade_card_agito.pdf
    • https://s3.amazonaws.com/napoledunadigo/antropologia_libro.pdf
    • https://uploads.strikinglycdn.com/files/e1b2f16e-7343-4136-a90b-90af3b91018a/nitozosera.pdf
    • https://uploads.strikinglycdn.com/files/3766c689-400d-460e-8dff-d018b0e10e07/microeconomics_hubbard_6th_edition_p.pdf
    • https://s3.amazonaws.com/pexodugosa/smart_textiles_and_their_applications.pdf
    • https://uploads.strikinglycdn.com/files/7419e233-179a-4678-953a-54bd92e8f08c/notufoxud.pdf
    • https://uploads.strikinglycdn.com/files/5bb3e1c9-9305-43b6-a90e-8cc54f2a6ca8/tennessee_hazmat_test_study_guide.pdf
    • https://uploads.strikinglycdn.com/files/8bd65270-1bfb-4d1d-9a87-79c7092767ec/fukal.pdf
    • https://s3.amazonaws.com/potofaw/exercices_corrigs_sur_les_amplificateurs_oprationnels.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ca60.bin
d1dd60f061b75c8e211966fb2e29d6586b1cc62955f3499a049e144f2f9e0948		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCA60 5004 bytes
font_01_sfnt_off0000db6a.bin
15fda11fed7295a5472b371ff7541b4b6c888e06e6f2fa59306e3e87336d8383		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB6A 11568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.