Malicious PDF — malware analysis report

Static analysis result for SHA-256 52afd8bb063c8831…

MALICIOUS

PDF

50.6 KB Created: 2020-12-03 17:23:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cfa4a9286ddb8821aac6ce58cc9381c4 SHA-1: 353b77bf4102bab0031fe2eead968d1cee0906ff SHA-256: 52afd8bb063c8831b0ef6eca0c4ab5eee5e5799bc6aa62f3ad7836c4fad28ca5
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL. The ClamAV detection and ML classifier indicate maliciousness, and the embedded URL points to a domain associated with phishing. The document body, though heavily obfuscated, appears to be a lure related to 'Tagalog Christmas songs'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8247

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/aws?utm_term=tagalog+christmas+songs+collection
    • https://cdn-cms.f-static.net/uploads/4373241/normal_5fbfa16477c52.pdf
    • https://cdn-cms.f-static.net/uploads/4409238/normal_5fb36ae437959.pdf
    • https://cdn-cms.f-static.net/uploads/4368474/normal_5f880ab9ecd07.pdf
    • https://cdn-cms.f-static.net/uploads/4391314/normal_5f9a119c00885.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static1.squarespace.com/static/5fc1520988c99b6d37aa082c/t/5fc534e49d7936484036823c/1606759652561/raymarine_st60_installation_manual.pdf
    • https://s3.amazonaws.com/kevava/baaghi_2_full_movie_hd_picture.pdf
    • https://s3.amazonaws.com/zumomasugipeno/winul.pdf
    • https://static1.squarespace.com/static/5fc10374bda9c57a97becd24/t/5fc56f1bf8cdb769c69b2b49/1606774556471/71847939284.pdf
    • https://s3.amazonaws.com/tixedujegibex/nacionalidades_del_ecuador.pdf
    • https://s3.amazonaws.com/lewuli/curso_de_ingles_para_principiantes_gratis.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ac9b.bin
4e35a6d1acbe4c7393fc075fac3dead549c43b3a93ac9bbc028192f7dcd71472		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAC9B 5164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.