Malicious PDF — malware analysis report

Static analysis result for SHA-256 56698b5fd429b12c…

MALICIOUS

PDF

57.6 KB Created: 2020-12-11 14:03:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8497e013fc8835b4d4e0600a13a9483b SHA-1: 6dee7ab9334cc85d5be5064fa4aaeaa6469b7369 SHA-256: 56698b5fd429b12c27b7cd5d40465203840a3e7145dafc6496300eb8b445057f
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a specific detection name indicating it's a phishing trojan. An external URI pointing to 'trafftec.ru' was extracted, suggesting a potential phishing or malware distribution attempt. The document body contains garbled text, but the presence of an external URL and the overall malicious verdict strongly indicate a phishing or credential harvesting attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9935

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/aws?utm_term=3d+video++samsung
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static1.squarespace.com/static/5fc0cc6dc14dfd36fef0f123/t/5fc1349518e72e5fdb030488/1606497432696/wuwas.pdf
    • https://static1.squarespace.com/static/5fcdf4a771251b5e499eeb04/t/5fd0452a26d54b3c06cd6b4c/1607484727398/pixipafasigurosibosafes.pdf
    • https://static1.squarespace.com/static/5fc0f33f2cf09257bd6c4f7e/t/5fc20e781972c46e3ce5db39/1606553209260/tobillo_en_ingles_torcido.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf53d04f98375720d72231/1606374362903/mivamezifetakuso.pdf
    • https://uploads.strikinglycdn.com/files/fabe70d3-8664-4f76-ac2b-0d68bc0d7876/pokemon_blazing_emerald_starters.pdf
    • https://uploads.strikinglycdn.com/files/3ec2a178-4a7e-4496-acb8-d410e3244613/haynes_manual_peugeot_expert_van.pdf
    • https://static1.squarespace.com/static/5fc0eab716f6d44b07bedc8b/t/5fc418e808845d09240a28dd/1606686953356/84354114863.pdf
    • https://static1.squarespace.com/static/5fc79a43c89b935f15e314ea/t/5fcfb0c755629615615d9032/1607446728384/guidefitter_customer_service.pdf
    • https://static1.squarespace.com/static/5fc18dc424b06a7eb303d081/t/5fc397403485235c8635430c/1606653761485/edward_abbey_quotes_may_your_trails.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbd0e1a6a371610b8799e15/1606225434774/xedaduwaponaj.pdf
    • https://uploads.strikinglycdn.com/files/1006cdfd-300a-4c1d-b0ed-7c3a5f49e1d6/geek_auto_parts_coupon.pdf
    • https://static1.squarespace.com/static/5fc5b0fb8139af037665d853/t/5fd206dc87bef85997f425de/1607599836857/68945587435.pdf
    • https://uploads.strikinglycdn.com/files/96813f03-16f3-4733-be16-040caff41c42/boxhead_hacked_unblocked_76.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce1d.bin
5b62b62ccee3fe97de757f2121da4cd90689dd713ed6265573487108f7ed4fa6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE1D 5148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.