Malicious PDF — malware analysis report

Static analysis result for SHA-256 503c962966ce3743…

MALICIOUS

PDF

73.3 KB Created: 2020-11-13 12:08:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ccbf32b155d777fd09aec9ecc09c4e31 SHA-1: 76fae1e039b0d9a3529a43086c3befbba6951377 SHA-256: 503c962966ce374334339dcfec5ddbe1a4fef20cf710c40fc4e7467f7d7cd6b0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URI pointing to 'traffking.ru', a known malicious domain, and another suspicious Weebly URL. The PDF structure and embedded content suggest it is designed to trick users into visiting these external resources, likely for phishing or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/strik?utm_term=ringo+new+vegas
    • https://guwomenod.weebly.com/uploads/1/3/0/8/130873843/3409757.pdf
    • https://fegixobipe.weebly.com/uploads/1/3/4/4/134467450/winasasodurepujof.pdf
    • https://topizamo.weebly.com/uploads/1/3/4/4/134435864/1507993.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xisefowu/paralegal_near_me_now.pdf
    • https://uploads.strikinglycdn.com/files/8164729b-1bc3-4b53-ac88-396ef2477d1d/14640907635.pdf
    • https://uploads.strikinglycdn.com/files/88db3f38-6a39-43e8-bbaa-8311ab947fbe/pokefabowiwoba.pdf
    • https://s3.amazonaws.com/wusigipufuvowix/94108255768.pdf
    • https://s3.amazonaws.com/rimepusox/43203162759.pdf
    • https://s3.amazonaws.com/henghuili-files2/toefl_listening_practice_test_with_answers.pdf
    • https://s3.amazonaws.com/lebaxa/cub_scout_manual_wolf.pdf
    • https://s3.amazonaws.com/xarojapi/roblox_app_downloader.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2c3.bin
25ee84692794b7c3d521421bc2378f43cfaf2716eef2e5f706d236075854cdff		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2C3 4884 bytes
font_01_sfnt_off0000f396.bin
9796e6e0d73e5efc78f67b490285d76a21a9efd11c8c3a235f7a0ef272b32660		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF396 10912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.