Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a7c32f983939d64…

MALICIOUS

PDF

92.1 KB Created: 2020-11-22 00:07:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2e447ad8fb8239f76e5dbb4165b44f68 SHA-1: 17b86b26740b7653780c483f15cb50c431b8375b SHA-256: 4a7c32f983939d64e90d79c412ef5021fee9e0f600f8e1bce09b247e0eddb59a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URL pointing to a suspicious domain, which is likely used for phishing or to download a secondary payload. The PDF structure and embedded content suggest it is designed to exploit users through social engineering.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/123?utm_term=a+type+of+relational+transgression+is%253A
    • https://cdn-cms.f-static.net/uploads/4403429/normal_5f993241efdaf.pdf
    • https://cdn-cms.f-static.net/uploads/4412896/normal_5fa8dc32e733b.pdf
    • https://cdn-cms.f-static.net/uploads/4376875/normal_5f8cbc1c59b8d.pdf
    • https://cdn-cms.f-static.net/uploads/4470211/normal_5fb7b2c887a01.pdf
    • https://cdn-cms.f-static.net/uploads/4483589/normal_5faf71a24d2d1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/465477db-798e-44d7-a7d2-4eda86befbe1/78626224321.pdf
    • https://uploads.strikinglycdn.com/files/88b524c0-af1f-4ed5-a907-b73311e37741/81738959235.pdf
    • https://uploads.strikinglycdn.com/files/0a8e7e47-568b-4558-955a-df3d2a735a32/fallout_4_prima_guide.pdf
    • https://s3.amazonaws.com/pazifetanegapu/30641589487.pdf
    • https://uploads.strikinglycdn.com/files/a0da8322-6534-428e-9110-cb4bd710de41/vituwevapexugu.pdf
    • https://uploads.strikinglycdn.com/files/3367be9e-d0dc-4abb-b4b9-b2f1401ea7e3/battle_of_warships_guide.pdf
    • https://uploads.strikinglycdn.com/files/ec36a572-55c7-4e9c-993d-e8070b3a36b9/54964586046.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012dde.bin
fec01d4cec6122c39b403dd0d71fa51fc3f978653d498be35da39a81902ce844		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DDE 5208 bytes
font_01_sfnt_off00013fb4.bin
bebd5b874e60cc0b2b83cbcc642046115e982d23174dcb0b47518171721254e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13FB4 10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.