Malicious PDF — malware analysis report

Static analysis result for SHA-256 745ecfb9c2c1de53…

MALICIOUS

PDF

169.6 KB Created: 2021-01-14 08:58:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 564f282036e6e14412e51a9342b9c31d SHA-1: 5a20a98fc000700d3edf5fbc35345426000e2761 SHA-256: 745ecfb9c2c1de53d2d4d60ee8adfb150b914a7503a59ccbbc56c8d51214aa32
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to 'trafftec.ru', which is flagged as suspicious. The ClamAV detection and ML classifier strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest it's designed to redirect users to a potentially malicious site, possibly for phishing or to download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9752

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/wb?keyword=zombie%20apocalypse%20weapons PDF link annotation
    • https://fileduwefevara.weebly.com/uploads/1/3/4/3/134384607/xevizawidamazagujulo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416923/normal_5fa406c333709.pdfIn PDF document text
    • https://refugisedenofa.weebly.com/uploads/1/3/1/3/131380322/6876844.pdfIn PDF document text
    • https://cdn.sqhk.co/veleviziwew/gfQA0jj/digidesign_control_24_pro_tools_12.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4421937/normal_5feccee7c582a.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/fasanag/bobina_de_tesla_paso_a_paso.pdfIn PDF document text
    • https://s3.amazonaws.com/xumakomowi/extra_episode_8_worksheet_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/kukupunopedon/wimakor.pdfIn PDF document text
    • https://s3.amazonaws.com/fizufapu/dunubudepukujewadusi.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00026113.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26113 5272 bytes
SHA-256: 0dbec6f840daaeef911ff8e3c5352998eb96b40cf6c713317c79c645d4dc3728
font_01_sfnt_off00027309.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27309 11164 bytes
SHA-256: da0a0d35c0d6c78e133c7af0069685d3b921b465aa63d8ca90b16783023c293b

Open this report in the interactive analyzer, or submit your own file for analysis.