Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c5d0a4f5523a294…

MALICIOUS

PDF

66.6 KB Created: 2020-11-17 18:52:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d956e415dc9b920e4f4021e15ddcfdf5 SHA-1: bc9f3b8edead66f1278139de3713b8016d62ed49 SHA-256: 3c5d0a4f5523a294a0698e75af2076ef041199ae6ee40aaf1a45e9e35289cd0a
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. An embedded URI points to 'traffine.ru', suggesting a phishing or malware distribution lure. Although no scripts were explicitly extracted, the PDF structure and embedded URI strongly suggest an attempt to redirect the user to a malicious site, likely for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7802

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/strik?utm_term=bharat+ko+jano+book+pdf
    • https://cdn-cms.f-static.net/uploads/4379241/normal_5f8aed53ea8d7.pdf
    • https://cdn-cms.f-static.net/uploads/4419826/normal_5fa7bd562065b.pdf
    • https://cdn-cms.f-static.net/uploads/4418178/normal_5fa1ecf0156d0.pdf
    • https://cdn-cms.f-static.net/uploads/4393508/normal_5f8e8c8a3c7a6.pdf
    • https://zusaneji.weebly.com/uploads/1/3/0/8/130813769/46e6b5fa21aceb.pdf
    • https://cdn-cms.f-static.net/uploads/4403127/normal_5fa3cbb37b95d.pdf
    • https://nulixedupalaz.weebly.com/uploads/1/3/0/7/130739510/badasogakoxizizadu.pdf
    • https://cdn-cms.f-static.net/uploads/4366339/normal_5f93981c8de1a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/difigomisosak/fukifopo.pdf
    • https://uploads.strikinglycdn.com/files/40a2a04b-8b55-478e-a431-35c3671cf90d/76347609237.pdf
    • https://uploads.strikinglycdn.com/files/64176a11-f90e-46b9-8933-01c6af21171e/what_does_archive_mean_in_email_account.pdf
    • https://uploads.strikinglycdn.com/files/074cbf38-d81f-45bb-827f-f907b7c05ad5/34390495452.pdf
    • https://uploads.strikinglycdn.com/files/aa259beb-7d29-4322-8e8e-981a2e495c20/32021424566.pdf
    • https://s3.amazonaws.com/wepeliniru/88825671782.pdf
    • https://uploads.strikinglycdn.com/files/c7aeb65e-fd5b-436f-9f63-52f301528b49/xasovofevodizogagamavuw.pdf
    • https://uploads.strikinglycdn.com/files/f5eabecd-7515-4192-b924-ae1302878ff0/cool_roblox_usernames_2020_generator.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d63e.bin
f2266b7758c60adc86823727628fa644fa092fe2aaa5d33f465ec808d73bd4c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD63E 3028 bytes
font_01_sfnt_off0000e119.bin
dbd4400a313be2e2828e99c8d914c5070773f988eff75aed0cdabd2e28f2fde3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE119 5248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.