PDF malware analysis — malicious · 3c8169c488e0e2c1

MALICIOUS

PDF

71.4 KB Created: 2020-12-03 17:37:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a99a4c96f4e21187c910e7f5bb4c7ae0 SHA-1: 14280ca66164e050dc7180cec684c5a87a19947e SHA-256: 3c8169c488e0e2c18a9aa45154b28b4b83f482474877b6d3692ee24ba3c281f2

136 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF document contains a heuristic indicating a 'Browser extension / update installation lure', suggesting a social-engineering tactic to trick users into installing malicious software. The presence of an external URI pointing to 'trafftec.ru' further supports this, as it is likely the destination for the malicious download. ClamAV detection as 'Pdf.Phishing.Trojan' confirms the malicious nature of the file.

Machine Learning

Nyx PDF Classifier malicious score 0.9995

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE

Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafftec.ru/aws?utm_term=disattivare+aggiornamenti+app+in+background+android
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fc0ea21c30a162e0c52977d/t/5fc38b1008845d0924f755b9/1606650648840/minecraft_easter_eggs_and_secrets.pdf
- https://static1.squarespace.com/static/5fc5aa440b6b03258f55d983/t/5fc8cfb3d6e0cc37e345a15f/1606995896917/igo_navigation_android_sd_card.pdf
- https://s3.amazonaws.com/woberiz/baca_center_round_rock_texas.pdf
- https://s3.amazonaws.com/welutizenop/81492078208.pdf
- https://uploads.strikinglycdn.com/files/d7b50b5e-211a-4469-bc54-bb341388c565/zesowowopegojomo.pdf
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf6887fa04221c71187c69/1606379655845/76189900125.pdf
- https://s3.amazonaws.com/rebomedug/74887880295.pdf
- https://s3.amazonaws.com/fapaga/mizafiragogufatowegapapul.pdf
- https://static1.squarespace.com/static/5fc0e800a879396864085b93/t/5fc330941972c46e3c061922/1606627476883/jusibenoda.pdf
- https://s3.amazonaws.com/fufaragebo/twilight_google_docs.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000da3a.bin` `d32784977a3e2f991eed7c7a1610c14cbe0b113770e38d40f470381024235d10`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDA3A	5624 bytes
`font_01_sfnt_off0000ed53.bin` `4ad8da6b28cde48ea14b07a7d2e5e8b9457325f8fbe29cca38045234b91969b8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xED53	10292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.