Malicious PDF — malware analysis report

Static analysis result for SHA-256 9111187324eac4f6…

MALICIOUS

PDF

69.1 KB Created: 2020-11-26 23:57:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b023c7b5db17d5cc112591a35e6a4ce7 SHA-1: d3542d7e6bbb4d861d0549b40c6b57ddde16f0d1 SHA-256: 9111187324eac4f6cb1e744210815a123ea691ef45859d30fa070924a1e113fa
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to 'trafffe.ru', which is likely used to deliver a malicious payload or redirect the user to a phishing site. The document body, though heavily obfuscated, suggests a lure related to financial reports.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/aws?utm_term=credit+suisse+global+wealth+report+2016
    • https://cdn-cms.f-static.net/uploads/4366350/normal_5f871ac6da26b.pdf
    • https://cdn-cms.f-static.net/uploads/4423452/normal_5fb76a64ad90a.pdf
    • https://cdn-cms.f-static.net/uploads/4366661/normal_5fabf07e5efc1.pdf
    • https://cdn-cms.f-static.net/uploads/4446925/normal_5fb79da9f2180.pdf
    • https://cdn-cms.f-static.net/uploads/4475727/normal_5fa89fa5d97a6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0b2077c8-b0b6-4dfd-847c-ce03746afafb/woruvumud.pdf
    • https://uploads.strikinglycdn.com/files/e38fb5e7-d2c2-412a-8004-505c30c92ce4/96914464090.pdf
    • https://uploads.strikinglycdn.com/files/fd1b53b0-87b0-46e7-9bc1-814b42424cb7/main_idea_worksheets_for_2nd_graders.pdf
    • https://s3.amazonaws.com/tizowodifi/jedalezuxituzigupeped.pdf
    • https://uploads.strikinglycdn.com/files/7c2be9ed-c3dd-4a23-92f6-86022a750604/59133156503.pdf
    • https://uploads.strikinglycdn.com/files/805e2d9f-dcec-44f3-af4e-c31e57195b9b/tijoratejudefefal.pdf
    • https://s3.amazonaws.com/voxipanovigepiv/bella_coffee_maker_14755.pdf
    • https://s3.amazonaws.com/kitakilesa/69671391529.pdf
    • https://s3.amazonaws.com/sugaguxagu/computer_full_form_of.pdf
    • https://s3.amazonaws.com/topipovikapari/27843810767.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cfc3.bin
61905bd05733afbcc0a1c73b956d3d9f2b8c8dd9f7326b22a85e334bd589af25		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCFC3 5836 bytes
font_01_sfnt_off0000e3a4.bin
697836750d7a28a1af65dac35c741261fd404f8ca6000d0e9383ce5a537a7134		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3A4 10688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.