Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f0271fd5a4a186d…

MALICIOUS

PDF

73.3 KB Created: 2020-11-24 04:58:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 11fff774e6c9da5d8d8b956e91a226ea SHA-1: b9b074e47f71c2e7801bdf4ad5c98bba3c1c1006 SHA-256: 3f0271fd5a4a186d843aa0aa5d8a6aa4e5035297238c00c9a487b5fb694d9a3f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious. It contains an embedded URL pointing to 'traffking.ru', which is likely used to redirect the user to a malicious site. The document body, though heavily obfuscated, appears to contain text related to 'The Cask of Amontillado', possibly as a lure. No scripts were extracted, but the presence of an external URI and the high confidence verdict suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/123?utm_term=in+the+cask+of+amontillado+why+does+montresor+seek+to+avenge+himself+against+fortunato
    • https://cdn-cms.f-static.net/uploads/4389797/normal_5fbbc7874ae9f.pdf
    • https://cdn-cms.f-static.net/uploads/4421770/normal_5fa5e658f2cd4.pdf
    • https://cdn-cms.f-static.net/uploads/4368745/normal_5f8d759b14976.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/d8d2f6bc-c009-4484-99c7-328e6f2dbce1/boxifabinusaturin.pdf
    • https://uploads.strikinglycdn.com/files/a7e7abf1-b2aa-4d82-bd9f-d30c26e3552b/43194813654.pdf
    • https://s3.amazonaws.com/ruzumeb/reelfoot_lake_fishing_report_october_2018.pdf
    • https://s3.amazonaws.com/xupovobejanam/7384579400.pdf
    • https://s3.amazonaws.com/fowonaxul/advisera_conformio_login.pdf
    • https://s3.amazonaws.com/rodigapigeta/5167884613.pdf
    • https://s3.amazonaws.com/zalomi/asko_d5253_dishwasher_repair_manual.pdf
    • https://s3.amazonaws.com/zevutebulaworel/advanced_factoring_worksheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d3b0.bin
fcfc56bbe7311d7835cb53915ba80fe233869b09cc52a259fcb5df1cb678deba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD3B0 5572 bytes
font_01_sfnt_off0000e689.bin
ebcb5353324d92b0f5c022c949077992dd2b6c88b420933b6d552f84c23719e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE689 10336 bytes
font_02_sfnt_off0001098b.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1098B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.