Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e6b321f7d8719b1…

MALICIOUS

PDF

69.4 KB Created: 2020-12-21 19:57:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07
MD5: 55335b033b8dd266f540d76073f3a8b4 SHA-1: 6829fbae0bb745d259f0627a6a7d762d40e25d1d SHA-256: 6e6b321f7d8719b1afbf95baafcaea2689525799550726766f9051805e8f098d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, with a high risk score. It contains an embedded URL pointing to 'traffking.ru', suggesting a phishing or malicious content delivery attempt. The document body contains text related to 'Chutti tv channel', likely a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/aws?utm_term=chutti+tv+channel PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4393036/normal_5fa25ca4cf824.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/8609ecb7-f1cd-4acd-8938-a338887d9872/96993661661.pdfIn PDF document text
    • https://s3.amazonaws.com/liguwubore/webupitijosejirifopebilu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8be0f159-5729-426e-adc4-4519db743ec2/tipagi.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc27fb3239b0722913b63ef/t/5fc7311a0791337046e01167/1606889756264/dizujibopujejefotaneral.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc66076b8467722f1f92596/t/5fd71133267c8d0ace5e71b2/1607930165838/comptia_pentest_exam_guide.pdfIn PDF document text
    • https://s3.amazonaws.com/levovod/introduction_rondo_capriccioso_saint_saens.pdfIn PDF document text
    • https://s3.amazonaws.com/fekazudabo/tovadegesisetapajew.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2bfcb51-9c9c-43ca-961b-cbe31d7bf401/65743850203.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fdc9bbe50f46d6500014148/t/5fdcf55c1a50611b2c055533/1608316254066/63417146598.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc59aeaea4a794d566534d6/t/5fc66a8ff8cdb769c6c01615/1606838928933/19435148308.pdfIn PDF document text
    • https://s3.amazonaws.com/firigugixujotov/father_of_the_bride_short_speech_templates.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/17d4b9a8-e6e9-480e-972f-a2ccdc448925/boards_and_beyond_quizzes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1ff50d7a-2e37-49f4-a6f4-5991881e3bcf/90417441047.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c93d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC93D 4468 bytes
SHA-256: 412d5ba22c2211146dde50b6a4f5d0f7c9f7f9951b795a8a861ca081dc7e7687
font_01_sfnt_off0000d86c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD86C 10120 bytes
SHA-256: 84adb43c4b87be09c183ae00c8537f889e264b42e0bd0a72c0aa5d1ad1d9de8e
font_02_sfnt_off0000fb1c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB1C 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378