Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c2f0c20318de1cb…

MALICIOUS

PDF

65.7 KB Created: 2020-11-14 18:42:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 830c8496d002d7f38b1164494357b7b5 SHA-1: 742a523324fc15404a482357c2dc1246255c728f SHA-256: 7c2f0c20318de1cbb8deb1c28e8fa4bf53f6de8ca078d0d776f6b339f03ab708
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, with a high probability of being a phishing or trojan delivery mechanism. It contains an embedded URI pointing to 'traffine.ru', which is likely part of the attack chain. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect the user to a malicious site, potentially for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/strik?utm_term=materials+requisition+slips+are+costed
    • https://kafaziwe.weebly.com/uploads/1/3/1/0/131070109/ketesemixudi-vusodo.pdf
    • https://cdn-cms.f-static.net/uploads/4369501/normal_5fa16bbe4bc28.pdf
    • https://lonunibulitog.weebly.com/uploads/1/3/4/4/134498578/fe3260e2f1a8.pdf
    • https://jopovasido.weebly.com/uploads/1/3/4/6/134619877/3d0fce11723d63c.pdf
    • https://cdn-cms.f-static.net/uploads/4415748/normal_5f9f6c0213030.pdf
    • https://dafalozurevibi.weebly.com/uploads/1/3/4/3/134308304/9c85ed9b34f.pdf
    • https://cdn-cms.f-static.net/uploads/4381297/normal_5f8c217bd416c.pdf
    • https://cdn-cms.f-static.net/uploads/4384029/normal_5f99ad01caaf8.pdf
    • https://cdn-cms.f-static.net/uploads/4366398/normal_5f93f7c0b7138.pdf
    • https://cdn-cms.f-static.net/uploads/4366655/normal_5f88deb37e60d.pdf
    • https://nibobesexetew.weebly.com/uploads/1/3/4/2/134266191/1328153.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/satudifin/gewukovamenopova.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c40e.bin
de293ad44394c1c6c6de57c3e08791d9b0b3021b9bf7de96ff018653e662e7fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC40E 5200 bytes
font_01_sfnt_off0000d5d0.bin
265951cc1a1dbfffa329af41e693bf0552fc8003de96f96ce39090f4920161fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD5D0 10676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.