Malicious PDF — malware analysis report

Static analysis result for SHA-256 63e9ac78eff1bf8e…

MALICIOUS

PDF

66.5 KB Created: 2020-11-20 07:47:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3e5e80923868fc3d0e95bd7ff7148c91 SHA-1: ba7a081d5b0d0608a96a0144360fd1b12c61c3f1 SHA-256: 63e9ac78eff1bf8ef78fa75416ecb11e543870ad8b98bac8215bb12e8f1ce7ef
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL pointing to 'traffset.ru', which is flagged as suspicious. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware delivery. No scripts were extracted, but the presence of the external URI is the primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/123?utm_term=yellow+oval+pill+with+l
    • https://cdn-cms.f-static.net/uploads/4427086/normal_5fac5c8c2a0a4.pdf
    • https://fobijolosa.weebly.com/uploads/1/3/4/7/134730704/a50104093013.pdf
    • https://zanugikujo.weebly.com/uploads/1/3/4/3/134399251/fidudojemefasoz.pdf
    • https://cdn-cms.f-static.net/uploads/4383138/normal_5f9242d06b5b3.pdf
    • https://bapoxaluw.weebly.com/uploads/1/3/4/7/134717037/3af0492767d6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/gifiz/57531338670.pdf
    • https://s3.amazonaws.com/sulasatevirexo/vusefunigopujizukemidip.pdf
    • https://uploads.strikinglycdn.com/files/9b278989-9709-42d5-b09b-881bbbeb4910/57672786380.pdf
    • https://s3.amazonaws.com/litunux/ra_1364_sanitary_engineering_law.pdf
    • https://uploads.strikinglycdn.com/files/82581a1d-c2b0-435b-8d11-fdc8d861c0dc/16457464110.pdf
    • https://uploads.strikinglycdn.com/files/5021d09a-f3f3-4378-a39c-13fd40b0e86d/sofiwetimofanukaken.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc43.bin
af0c962aff16a127b071f343b437d0fdb54702a4a0f7d197bba4540f1888f37b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC43 4748 bytes
font_01_sfnt_off0000dc80.bin
f52a1b4ac036a338782698f68f571b9b7df65bc9e33f2ccf4461d0e069802595		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC80 9660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.