Malicious PDF — malware analysis report

Static analysis result for SHA-256 66bbf9b178e3df1b…

MALICIOUS

PDF

64.2 KB Created: 2020-12-23 01:27:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2fd4656e3dd5aa089a33cf1d2982b32a SHA-1: 5950eff122f33bce14cc14094c9acb26b145c3e2 SHA-256: 66bbf9b178e3df1b42637437fb17e992fb8cda6fd2eb386f0456102f2c3051be
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, with heuristics indicating it contains an external URI and is a lure for a password-protected archive. The embedded URL, 'https://trafficel.ru/123?utm_term=procesos+de+investigacion', is likely the initial point of contact for a phishing or malware delivery scheme. Although no scripts were explicitly extracted, the PDF structure and heuristics suggest an attempt to trick the user into downloading a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/123?utm_term=procesos+de+investigacion
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/pidufozu/social_security_administration.pdf
    • https://uploads.strikinglycdn.com/files/adc65def-2a8e-43c2-86ed-b709141dfad1/gadukowovesexexov.pdf
    • https://s3.amazonaws.com/fedure/kexirovimepimipemom.pdf
    • https://s3.amazonaws.com/norozovijalu/jotufifokirozupoxofazaput.pdf
    • https://uploads.strikinglycdn.com/files/76dfc824-8451-44c4-8ff9-8c4cf4d7ec03/array_3_codingbat_answers.pdf
    • https://s3.amazonaws.com/novipaliwid/super_compost_osrs_ge.pdf
    • https://uploads.strikinglycdn.com/files/53c399c1-20c6-49c4-a1b5-64ffe3ab94d0/sams_broadcaster_4.2_2_download.pdf
    • https://uploads.strikinglycdn.com/files/3b310471-aeab-4ec4-8b25-e78b7640bb75/mesa_water_district_salaries.pdf
    • https://uploads.strikinglycdn.com/files/2439e77b-6b0f-4b8b-a4d6-8f825482009e/lerumuzokopodesumevoro.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c0fe.bin
63a95d7e9f1cb76868e4d0fb72330df1eddfd40d3eff930fd3997d5e8334cdf6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC0FE 5136 bytes
font_01_sfnt_off0000d288.bin
3dc734161e517cbca3dbe01d3a05967d695f4981ce9455a90592078c3e3a6e54		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD288 9956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.