Malicious PDF — malware analysis report

Static analysis result for SHA-256 43e9bb6a3dd4f8e5…

MALICIOUS

PDF

79.5 KB Created: 2020-12-06 21:33:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 012e480aff541daaf51352eb9a7a9724 SHA-1: a2dc45bb2dcd3d52f5e96c552682801cb94dfd48 SHA-256: 43e9bb6a3dd4f8e5d53e84da3dc1cfb1904a94b015384dac3d5b38edaf788c21
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF with a high ML classification and ClamAV detection, indicating malicious intent. It contains an embedded URL pointing to 'trafftec.ru', which is likely used for phishing or malware distribution. The document body, though heavily obfuscated, suggests a lure related to 'assembly language and computer organization pdf'. No scripts were extracted, but the PDF structure and embedded URI heuristic strongly suggest a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9920

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/aws?utm_term=assembly+language+and+computer+organization+pdf PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4407749/normal_5fcc559aea604.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://static1.squarespace.com/static/5fc292a4e5c7695ca9a65d9d/t/5fc3787218e72e5fdb445b6c/1606645877110/gikemi.pdfIn PDF document text
    • https://s3.amazonaws.com/nodetuxapabara/romijexifiwomomomobulej.pdfIn PDF document text
    • https://s3.amazonaws.com/zirojopemup/navuzasoxabanikazomipu.pdfIn PDF document text
    • https://s3.amazonaws.com/dinigugaxej/oxford_dictionary_premium_cracked_apk.pdfIn PDF document text
    • https://s3.amazonaws.com/jofunozuzof/mafaxuvesexepuzopo.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc15629df132613bbc0c61d/t/5fca82a4944ec9462b3e3534/1607107239520/best_hits_of_the_90s_r_b.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0f975bf71053ccb109642/t/5fc175173c6ccf69f39522bc/1606513944818/bikarinonojiwabituw.pdfIn PDF document text
    • https://s3.amazonaws.com/juvetaso/atomos_shogun_studio_manual.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d2d4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD2D4 5640 bytes
SHA-256: de7ce035c6c4b96b9e21307ebc9032a20f6ec41de2f4055f5c0ce3b0654c72d1
font_01_sfnt_off0000e5e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE5E4 11536 bytes
SHA-256: a48f293294168cceb206e0b708730414462c12fbc9fb1ea86676155f64a447e7
font_02_sfnt_off00010dd3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DD3 16116 bytes
SHA-256: d53d347cea387c54c087b2cd85ea94373ed5f2f525a48ba1569850c62da8c160
font_03_sfnt_off000122ae.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x122AE 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378

Open this report in the interactive analyzer, or submit your own file for analysis.