Malicious PDF — malware analysis report

Static analysis result for SHA-256 68a93f2618fd160d…

MALICIOUS

PDF

50.6 KB Created: 2021-01-13 19:16:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64ba6f2c7158a94b0af832762dd3876a SHA-1: 4a8fd4351012b5404d536eaca95f93a30e432526 SHA-256: 68a93f2618fd160db1a07cbdb34a28e6c68a82e049c96677b19096ed20daee9b
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'trafftec.ru', which is likely part of the phishing lure. Although no scripts were explicitly extracted, the PDF structure and the nature of the embedded URI suggest an attempt to redirect the user to a malicious site for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9695

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/aws?utm_term=joyous+celebration+16+music
    • https://site-1172435.mozfiles.com/files/1172435/gym_weight_training_program_for_beginners.pdf
    • https://cdn-cms.f-static.net/uploads/4424026/normal_5fd3521e2e1f7.pdf
    • https://static.s123-cdn-static.com/uploads/4488570/normal_5ffb20931dd16.pdf
    • https://static.s123-cdn-static.com/uploads/4482638/normal_5fefcdad79751.pdf
    • https://static.s123-cdn-static.com/uploads/4474722/normal_5ffd63f395b8c.pdf
    • https://site-1212713.mozfiles.com/files/1212713/devezimezamam.pdf
    • https://static.s123-cdn-static.com/uploads/4416321/normal_5fe5a66d94f6e.pdf
    • https://site-1167992.mozfiles.com/files/1167992/sodezaxekazawiwevapudor.pdf
    • https://site-1180295.mozfiles.com/files/1180295/space_raiders_rpg_tips.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fodose/skuldafn_temple_puzzle_answer.pdf
    • https://s3.amazonaws.com/xepululejiwof/19246157897.pdf
    • https://s3.amazonaws.com/pazatuv/zowunalusarekazegofe.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b779.bin
8712fc789d1daa371ad469b3576c42eaf077b43c13c4086421792933166e4e3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB779 5264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.