Malicious PDF — malware analysis report

Static analysis result for SHA-256 710e501bf2cad64f…

MALICIOUS

PDF

67.8 KB Created: 2020-11-25 10:50:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 49f18ff049cbebd90c4c807e00b90b48 SHA-1: 69e5152479af0606a98080f96694d95d38395c5c SHA-256: 710e501bf2cad64f21f7ab7aff8e5b18324cbc16b30a71ce1b3f68ab460277a7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier, with a high risk score. It contains an embedded URL pointing to 'traffset.ru', which is likely used for phishing or to download a secondary payload. The document body, though heavily obfuscated, suggests a lure related to form approval.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/123?utm_term=faa+form+337+field+approval
    • https://cdn-cms.f-static.net/uploads/4458628/normal_5fafaa886d41f.pdf
    • https://cdn-cms.f-static.net/uploads/4417212/normal_5fba69582edca.pdf
    • https://doxujivadew.weebly.com/uploads/1/3/4/8/134875716/lupemudedezozela.pdf
    • https://zugogulubituwo.weebly.com/uploads/1/3/4/2/134266111/b3a7c7924f0662f.pdf
    • https://paxesejok.weebly.com/uploads/1/3/4/3/134348383/6dd0a.pdf
    • https://gimejexoxixaza.weebly.com/uploads/1/3/1/8/131872185/987b21c6b.pdf
    • https://cdn-cms.f-static.net/uploads/4415782/normal_5fab74c0088be.pdf
    • https://cdn-cms.f-static.net/uploads/4369164/normal_5f889929c0a27.pdf
    • https://cdn-cms.f-static.net/uploads/4374371/normal_5f9d323cdcfa6.pdf
    • https://jufavufopu.weebly.com/uploads/1/3/4/3/134340263/7176132.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/07ec18e0-4220-40d2-ad7c-d81432ce30ed/93585361231.pdf
    • https://uploads.strikinglycdn.com/files/b3be8748-0f5c-4d16-9201-0e56e026c70e/7578687322.pdf
    • https://uploads.strikinglycdn.com/files/eb3c6cc7-2c50-46d2-8fd0-b052f3f2d3ca/20269340203.pdf
    • https://uploads.strikinglycdn.com/files/e99fb276-1d8e-46d6-9317-c2248ed386d6/80870429889.pdf
    • https://uploads.strikinglycdn.com/files/66a64924-145d-41cf-9e80-5a1d0e8cb07e/laxikirivanetivogixibepe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ccca.bin
c6da214afa4a92179359d42723677ca2e40b2c1410282d2609eef0350dc00080		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCCCA 5268 bytes
font_01_sfnt_off0000deb8.bin
a8bcf7fb9ca1c248f73539f81b6c4ae87430832326a8ec86aa8887768a1ca011		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDEB8 10300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.