Malicious PDF — malware analysis report

Static analysis result for SHA-256 77e508388a32504e…

MALICIOUS

PDF

90.9 KB Created: 2020-12-16 05:25:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 674a3d7413d1f13f0a55b7ba1c6178eb SHA-1: d1bc4aa6de593d05609b698a3501f214adca08e9 SHA-256: 77e508388a32504ec6ec44d3c72645f3960ee9ea93d467c7148bf13f53164cfc
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URL pointing to 'https://trafftec.ru/123?utm_term=what+does+wand+flexibility+mean', which is likely the lure. Although no scripts were extracted, the PDF structure and the presence of an external URI strongly suggest a phishing attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/123?utm_term=what+does+wand+flexibility+mean
    • https://cdn-cms.f-static.net/uploads/4452169/normal_5fc02ee7382f5.pdf
    • https://cdn-cms.f-static.net/uploads/4407724/normal_5f9c2bdf094eb.pdf
    • https://cdn-cms.f-static.net/uploads/4367665/normal_5f8d82fa4a5e9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/muxegeza/ending_blends_worksheets_2nd_grade.pdf
    • https://static1.squarespace.com/static/5fc6d9a3fa9ecc39789baefb/t/5fc938d439c3d831296b3717/1607022804574/lemonade_social_entrepreneurship.pdf
    • https://s3.amazonaws.com/defujo/kefapusogutinepuxasidofu.pdf
    • https://uploads.strikinglycdn.com/files/f924ce8f-3a58-4a27-9075-c0b2a316c72b/zawugowitofurutukozoko.pdf
    • https://uploads.strikinglycdn.com/files/e18888c7-5472-43da-9890-6c8a480f03ae/goketijadifo.pdf
    • https://static1.squarespace.com/static/5fc27d2011f6a419848fbce5/t/5fcd925bfe657040d5ab7b7a/1607307868095/11090452792.pdf
    • https://uploads.strikinglycdn.com/files/7ae36421-77ea-4621-b040-10773c4eb4ed/topijopuluwix.pdf
    • https://uploads.strikinglycdn.com/files/fd9b9c69-7f9f-42bd-a4f3-ce4536055be0/surface_area_of_cones_worksheet_kuta.pdf
    • https://uploads.strikinglycdn.com/files/2d2246ba-20b2-4c5a-8bb8-3d31f7b5c8a4/pdf_giant_steps.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000129fb.bin
204d916ad164a8a4c7cc012d7e9a642b98a7931dae47c203f60630a51f50449d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x129FB 5464 bytes
font_01_sfnt_off00013c90.bin
9ceefa71fe802229d10cc557ce351520d0f2eca703e93cc21a1fc42a192dd29e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13C90 10016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.