Malicious PDF — malware analysis report

Static analysis result for SHA-256 3aeebef62f26f39d…

MALICIOUS

PDF

74.3 KB Created: 2020-12-27 19:24:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b3296dd66cf8fbd7224b46839a786a99 SHA-1: c976c34ccda88532e9c50508c7572735b426be66 SHA-256: 3aeebef62f26f39d269c0374926e76be240787015c23a5e88cbceecac6eed53e
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to 'traffking.ru', which is likely a phishing or malware distribution site. The heuristic 'SE_INVOICE_LURE' suggests the document's content is designed to trick the user into clicking the malicious link, possibly by masquerading as an invoice or payment request.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/123?utm_term=algebra+1+regents+january+2018+answers+part+3
    • https://cdn.sqhk.co/vexedobasof/5xNYhhM/88766428009.pdf
    • https://cdn.sqhk.co/mofosalamo/lhghOii/fupejixosenekipa.pdf
    • https://cdn.sqhk.co/ditetona/uibxdih/59747140324.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f6f260ca-7f11-4fe3-8c88-b6ed3a70b2ab/btd6_mod_apk_10.1.pdf
    • https://uploads.strikinglycdn.com/files/00c7fdd0-564e-4a29-8301-c6b47befa8f2/geked.pdf
    • https://s3.amazonaws.com/pasawe/jixivokubirabumoxiximes.pdf
    • https://uploads.strikinglycdn.com/files/71b036cb-1f39-4ee9-baad-3dc1a3ae27ee/78118155629.pdf
    • https://s3.amazonaws.com/kavitokolezub/zalisudewafijawidit.pdf
    • https://uploads.strikinglycdn.com/files/55e90d7c-c157-4586-9573-9ffd4ee04422/48511385341.pdf
    • https://uploads.strikinglycdn.com/files/7d6f4916-f973-4ac3-ad04-7a57a3be589b/75277940368.pdf
    • https://s3.amazonaws.com/fotepopunaj/husqvarna_mower_r120s_service_manual.pdf
    • https://uploads.strikinglycdn.com/files/4c7073a1-f7a4-4c14-a580-b8db349c5abe/nelulusolobibavufimixuk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e299.bin
5ab8e8a2645b26982db41e963d9a56cbf0c9ad9647e109786b737126371a0556		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE299 6068 bytes
font_01_sfnt_off0000f76c.bin
ca3027cdfae9b3b1a0dadb1facb88297993e947ab1448b8a9fd5e88bb84a7819		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF76C 10896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.