PDF malware analysis — malicious · 62e0fb7007a1412e

MALICIOUS

PDF

70.4 KB Created: 2020-11-22 05:08:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 626839deb5c4ea1bbad8de3f91e4d196 SHA-1: d54878604520a9ce839b8e3d6058daf348461823 SHA-256: 62e0fb7007a1412e80b331fb27350615c68f71577bb1461a2fbbde320570f4ca

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a specific ClamAV detection of 'Pdf.Phishing.Trojan'. An external URI, 'https://traffine.ru/aws?utm_term=according+to+jim', was extracted from the PDF content. This URL is the primary indicator of a potential phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffine.ru/aws?utm_term=according+to+jim
- https://cdn-cms.f-static.net/uploads/4401555/normal_5fa56a5dc167c.pdf
- https://cdn-cms.f-static.net/uploads/4369922/normal_5f8e6f67a2af5.pdf
- https://cdn-cms.f-static.net/uploads/4385020/normal_5faaf64cc7dec.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://uploads.strikinglycdn.com/files/de1d94c2-e73f-4de5-b669-3f8c3170666b/82846227053.pdf
- https://uploads.strikinglycdn.com/files/b25d6cb4-30bd-4e27-8cd6-18ac6b65907e/manual_de_documentacion_militar_sedena.pdf
- https://uploads.strikinglycdn.com/files/2b261755-95a0-4b15-b4ac-e3fc69ad0aa8/sacramento_business_license_check.pdf
- https://s3.amazonaws.com/xirixepo/free_joomla_templates_for_websites.pdf
- https://uploads.strikinglycdn.com/files/894f061a-a8b2-413f-bcfe-0bff746ba9d2/carta_de_aceptacion_de_trabajo.pdf
- https://s3.amazonaws.com/fajonubinomeder/cctv_installation_guide.pdf
- https://s3.amazonaws.com/vonuxagupeduze/96122294408.pdf
- https://uploads.strikinglycdn.com/files/7b2487ff-26f6-446d-9f46-05f0ff55441b/jekozatumudolinum.pdf
- https://s3.amazonaws.com/lanubili/30081476852.pdf
- https://s3.amazonaws.com/pazovugal/belakinunalirexabo.pdf
- https://uploads.strikinglycdn.com/files/67e62732-d909-464e-a00f-b85e3ec06e70/47535093493.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ccf7.bin` `048dfb13419fd262e0a86c71371c7218d72b4b59df97ef667253a49734f8649d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCCF7	4572 bytes
`font_01_sfnt_off0000dc58.bin` `a52c15eac98b66135b26c6a3c472f5ce5f479a6ab6d0c9ed3d0cebe8cb819162`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDC58	10008 bytes
`font_02_sfnt_off0000fea8.bin` `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFEA8	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.