Malicious PDF — malware analysis report

Static analysis result for SHA-256 88f765e081b17a50…

MALICIOUS

PDF

73.6 KB Created: 2020-12-17 17:35:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 741db94bf849c175c79b253146a1c70d SHA-1: 8b35b23b860ea5e86129fb674b01650d05d99dc8 SHA-256: 88f765e081b17a50497f6c4715b9eb4764426bcac439faf555ef4ba552c126e5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URL, https://trafficel.ru/123?utm_term=pioneer+woman+pancakes+with+cake+flour, which is likely used to redirect the user to a phishing site or download a secondary payload. The document body, though truncated and partially garbled, suggests a lure related to recipes, which is a common tactic for social engineering.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/123?utm_term=pioneer+woman+pancakes+with+cake+flour PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/067878eb-19d7-4e61-a686-9b7b374c6795/mickey_y_sus_amigos_juntos_otra_navi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f98bfdc9-a0ac-419e-aef6-e2149a9a9557/seiko_solar_chronograph_v172.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d14964c0-403e-4844-ab29-a3fa1fed5ea0/56512919344.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fced5fa7d3f043f976b6f0e/t/5fd0b18d51357b44bb96f8ce/1607512466748/diafragma_anticonceptivo_precio.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/30fd3ba5-f7b9-4717-b8a1-c1914dd3d581/thanatopsis_questions_and_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cd07e88a-29e6-4f7e-8560-3b7608638b23/ruxutaxujizuxojowit.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0f1725bcb0228a282b335/t/5fc9b2ed4e3f3d251739c406/1607054062666/tap_tap_computer_coupon_code.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc585359698b02c7f3ffd29/t/5fcc7007cded405bb8d0a356/1607233544104/20671764129.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8d5ad45f-8fc4-4db5-ba2e-cb2abe107085/minecraft_pe_0.11_0_apk_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b3bab7e4-a1bb-4827-80e0-af14e9fc20d4/satire_in_huckleberry_finn_chapter_11.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ea62de2c-3c88-4cea-9c3e-d38e42a19b5e/sufale.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/15305197-084b-41ec-83b5-ebac766aa2a1/yellow_exclamation_mark_pokemon_home.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ceb2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCEB2 5412 bytes
SHA-256: b888a7e9ef097a6272d30692aa48e79caa89ac42f2b359963a8320cf34c775f0
font_01_sfnt_off0000e104.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE104 10076 bytes
SHA-256: f9c581e49cfc776c3826ac45e78d97e877647fe835c4fd79c01d20c318fcd116
font_02_sfnt_off000103cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x103CC 16312 bytes
SHA-256: 975089639afea594160f6daa1ae948ffc4125994d61a9fd32dce02580f7b6b15