Malicious PDF — malware analysis report

Static analysis result for SHA-256 82be9a9431de80e0…

MALICIOUS

PDF

71.2 KB Created: 2020-12-16 23:14:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c403b1660d9151f4f8df4e8ae5c54a37 SHA-1: d04e08dbc45be226e87e96f2c5ef457d460cc6f7 SHA-256: 82be9a9431de80e00b4ea5c7ff5ee342880b04bff911059483538a2631dbf980
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. An external URI pointing to 'traffking.ru' was extracted, suggesting the document's purpose is to redirect users to a potentially harmful website. The embedded URL and the nature of the heuristic firings strongly suggest a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/strik?utm_term=wizard101+grizzleheim+fire+spells
    • https://cdn-cms.f-static.net/uploads/4367964/normal_5f878ad44f85d.pdf
    • https://cdn-cms.f-static.net/uploads/4377120/normal_5fa7c30d54461.pdf
    • https://cdn-cms.f-static.net/uploads/4495262/normal_5fbd9b5d3e689.pdf
    • https://tujebikofo.weebly.com/uploads/1/3/4/3/134359874/f6227bb732.pdf
    • https://cdn-cms.f-static.net/uploads/4418180/normal_5fd242d49788d.pdf
    • https://vovikadu.weebly.com/uploads/1/3/4/5/134587732/9032611.pdf
    • https://cdn-cms.f-static.net/uploads/4409998/normal_5fbae114e5695.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/lezerawe/blizzard_er_0_b_s.pdf
    • https://uploads.strikinglycdn.com/files/6322c51a-f665-4340-8bc5-1618cc969775/mary_ellen_guffey_business_communica.pdf
    • https://uploads.strikinglycdn.com/files/ec6bc212-86fd-4479-9753-ac8e212c0124/merizaso.pdf
    • https://uploads.strikinglycdn.com/files/b9b8f1ce-5178-44bb-90e6-64d57e5451ed/anna_carey_eve_2.pdf
    • https://uploads.strikinglycdn.com/files/47459c92-449e-4018-8e16-0bb97cb46514/16782875246.pdf
    • https://s3.amazonaws.com/xukonakefules/itunes_for_samsung_chromebook.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe03ecfa04221c71e765ba/1606288366101/f2p_ironman_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d67c.bin
584619514582772a16fb7c8b66b6605f5c4e47c9bd99537b35d76b57041789b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD67C 5712 bytes
font_01_sfnt_off0000e9dd.bin
6201c74186985e2e0dac635401e9121e9c648959332f886d420b63f29ffca469		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9DD 11288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.