Malicious PDF — malware analysis report

Static analysis result for SHA-256 8074daa60ba80227…

MALICIOUS

PDF

167.3 KB Created: 2020-11-17 20:55:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 42fa244d0b411e96a84dbdbf61fc7114 SHA-1: b30b0e74680edbfdfe1d1cbf6fe0b96f6ee16881 SHA-256: 8074daa60ba80227d31e65caef8a02b1ddfe39ed58e7e2c8865b0cc50db9715e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is classified as malicious by ML and ClamAV, indicating a high likelihood of malicious intent. The presence of an external URI pointing to 'trafffe.ru' suggests a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and embedded URI are strong indicators of a malicious document, likely delivered via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/123?utm_term=fox+elementary+school+staff
    • https://vafumigoku.weebly.com/uploads/1/3/1/3/131384305/2d627.pdf
    • https://lotagixowila.weebly.com/uploads/1/3/1/1/131164100/gonisarogisabagudexo.pdf
    • https://xerukarikudi.weebly.com/uploads/1/3/4/3/134316935/sokigija.pdf
    • https://cdn-cms.f-static.net/uploads/4464534/normal_5fa59b3236daa.pdf
    • https://cdn-cms.f-static.net/uploads/4489058/normal_5fae4ed3473d2.pdf
    • https://nabolonoroxene.weebly.com/uploads/1/3/4/3/134373159/6a0953ac46f.pdf
    • https://rolawopu.weebly.com/uploads/1/3/4/3/134317168/9985376.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e22a012d-a826-4b81-a6ba-f88f7963b60b/6684694618.pdf
    • https://uploads.strikinglycdn.com/files/cd5aeb66-c29b-4cbb-8fcb-5d6a6966d631/tyranny_battle_mage_build.pdf
    • https://uploads.strikinglycdn.com/files/d6977a79-6b14-4db7-9a65-ab875824b676/comfort_inn_hollywood_los_angeles.pdf
    • https://uploads.strikinglycdn.com/files/3f74105b-98cb-4cf4-b3c8-4b0bd44bad5c/83304211261.pdf
    • https://uploads.strikinglycdn.com/files/520c1545-1b5d-437d-924a-a4ce4828d500/6503611615.pdf
    • https://uploads.strikinglycdn.com/files/81bc1102-33b9-44e9-b3ff-b0c30f708787/10581608330.pdf
    • https://uploads.strikinglycdn.com/files/7da7f32c-10cd-4fc9-8e0b-24da138aa6dc/flexus_trumpet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000257ee.bin
575a5f12e5c8a916a79d3443f10bfa58c6ad1716d63955459a593301dd38d2e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x257EE 5248 bytes
font_01_sfnt_off000269a7.bin
50cddb537c32f123a95b11877e77b231ce2c71cec37c29960516a5e075394204		 pdf-font-stream PDF embedded font (sfnt) at offset 0x269A7 11200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.