PDF malware analysis — malicious · 8086a6b8b793b908

MALICIOUS

PDF

63.9 KB Created: 2020-11-20 05:13:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8eb6a3d94993a450d88ac18a9f3d4e62 SHA-1: 2b0b227f3092933efa35db11efe4e46f48bc68f0 SHA-256: 8086a6b8b793b90830837b7940b68cb3e6f66f026a4f602092b78b7b9b9ab6ba

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an external URI pointing to 'https://traffking.ru/123?utm_term=travis+pastrana+injuries', which is likely part of a phishing lure. The document body, though heavily obfuscated, contains metadata related to wkhtmltopdf and a date, suggesting it might be a crafted document designed to exploit PDF vulnerabilities or trick users into interacting with malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffking.ru/123?utm_term=travis+pastrana+injuries
- https://cdn-cms.f-static.net/uploads/4425501/normal_5fa920db5e006.pdf
- https://buxexuwuf.weebly.com/uploads/1/3/4/6/134660927/pufedava_viler_sezarixo.pdf
- https://cdn-cms.f-static.net/uploads/4401692/normal_5faac6ba767aa.pdf
- https://dimejozetef.weebly.com/uploads/1/3/1/0/131070151/88dcb4250e23b.pdf
- https://cdn-cms.f-static.net/uploads/4383452/normal_5fa12f1d23651.pdf
- https://rebanurox.weebly.com/uploads/1/3/4/4/134490941/43e9813009a3.pdf
- https://cdn-cms.f-static.net/uploads/4409118/normal_5fa47c860a1fd.pdf
- https://cdn-cms.f-static.net/uploads/4365594/normal_5faeb5708aaa2.pdf
- https://botubadixebom.weebly.com/uploads/1/3/1/4/131407995/3723868.pdf
- https://cdn-cms.f-static.net/uploads/4446914/normal_5fb3696e18518.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/17543279-a52c-4a55-890b-96e5f13d717b/honeywell_rth8580wf_wifi_setup.pdf
- https://uploads.strikinglycdn.com/files/b705366d-f838-4f80-a3ac-a8f27bcbc4d0/20003579498.pdf
- https://uploads.strikinglycdn.com/files/4dda5956-ad1a-4840-b21c-1b81b385e47d/sumiwisimodelalenu.pdf
- https://uploads.strikinglycdn.com/files/10893e05-b4c4-4266-ba43-34979573016e/58382643704.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c451.bin` `f43b1914251d2f79ff69c886a95c489efc4be958c3ff31fa1cbfecd6eb213493`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC451	4868 bytes
`font_01_sfnt_off0000d4f0.bin` `97b36993aa6bf87d2e3806ae2b10e472494c4731bacdf8495af2e4b8a65add2a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD4F0	8712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.