Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ff392d74ee99653…

MALICIOUS

PDF

72.1 KB Created: 2020-12-14 21:54:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62c5e8ee6793dcf162cd8cd1d1cf7c31 SHA-1: 7b41116c23a858168a2ea5e987686ad35b51e966 SHA-256: 4ff392d74ee99653bc82b723d1aa5cb7cc1cb182beb306a78214d6e2be559050
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, indicating a high likelihood of malware. The presence of an embedded URI pointing to 'trafftec.ru' suggests a phishing or malware distribution attempt. The heuristic 'SE_INVOICE_LURE' further supports the idea that the document is designed to trick the user into interacting with the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/strik?utm_term=baby+trend+sit+and+stand+manual
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zosevid/american_bully_breeders_arizona.pdf
    • https://s3.amazonaws.com/tedowafomaru/90783634826.pdf
    • https://static1.squarespace.com/static/5fc4c5737848ba205d318c94/t/5fd6afbe226e9048fac2c20c/1607905215957/96829721932.pdf
    • https://static1.squarespace.com/static/5fc59b71c6229360ecccef93/t/5fcea25cc463130800a25cad/1607377502835/sling_tv_phone_number_yelp.pdf
    • https://static1.squarespace.com/static/5fc51ca1bd14ff0dd2b7ddca/t/5fd758b95b1f6f7539f3fd84/1607948473568/76299641609.pdf
    • https://s3.amazonaws.com/rafiralexezol/antivirus_for_pc_softonic.pdf
    • https://s3.amazonaws.com/gopuze/liability_waiver_template_ontario.pdf
    • https://s3.amazonaws.com/kufazete/37965761150.pdf
    • https://static1.squarespace.com/static/5fc0c8f51452f90b7fe4c8fc/t/5fc18d96f3de5e49b59f60f6/1606520215827/west_central_valley_auction.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d4f4.bin
b7f317aa0f29cd34df008dc84d8f376d2685882a57a4a5cd0d86477d0adf885a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4F4 2828 bytes
font_01_sfnt_off0000deef.bin
06817638801068450b0018fc891ac764ffb6a905e7d356576419d63cabc52d05		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDEEF 5264 bytes
font_02_sfnt_off0000f0ba.bin
373c8c13041022fb7ee25f93c8f3caf1d29422949ce54298419549f54920772f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0BA 10168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.