Malicious PDF — malware analysis report

Static analysis result for SHA-256 9745a0a3fb94fcb9…

MALICIOUS

PDF

100.5 KB Created: 2021-01-06 02:51:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: b082e87b9ee773c11a54af20e73d71af SHA-1: 745f4bdd1a5191fe5f8627501b139fd4cbbac694 SHA-256: 9745a0a3fb94fcb9b8d5181e32d10536b1e368c70781e7b5fd21e8eb1914e876
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to 'trafffi.ru', which is a strong indicator of phishing or malware distribution. The document body is heavily obfuscated and contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create PDFs from web content, which could be part of a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/123?utm_term=eco+machine+for+heart PDF link annotation
    • https://cdn.sqhk.co/vixukose/jwUhjVg/snappers_key_largo_happy_hour.pdfIn PDF document text
    • https://dumetokewip.weebly.com/uploads/1/3/4/3/134394823/dewinopabuletifokuwi.pdfIn PDF document text
    • https://cdn.sqhk.co/fifapupifig/hbibc4u/engross_focus_timer_to-_do_list_day_planner.pdfIn PDF document text
    • https://majizozu.weebly.com/uploads/1/3/4/5/134598595/fukufixibejatififaz.pdfIn PDF document text
    • https://rokolumer.weebly.com/uploads/1/3/0/9/130969153/4701538.pdfIn PDF document text
    • https://solusolifodijal.weebly.com/uploads/1/3/4/4/134433047/rasejunabaja-pasolufom-lamesegafuxal.pdfIn PDF document text
    • https://cdn.sqhk.co/gipirukanut/hsbWVhe/28100686363.pdfIn PDF document text
    • https://sokuvotaboraj.weebly.com/uploads/1/3/0/7/130776263/2692242.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/374396d3-1630-4cd2-ac9b-2775cdea80ec/99908929415.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d5bc2947-6d01-4e20-90bf-d94b29ac5152/wokefobubeziju.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/085faa05-9810-4af8-a78d-b59617ee6eab/64554776823.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d676cab2-3712-4552-87d4-9a535238ba8d/mivilevalopiseluxesuz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/97ddaa96-b9d7-43c5-a1e9-ffa28de9178a/matudufupavibadeji.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000124df.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x124DF 4656 bytes
SHA-256: 3f846ebdadfbcb5b891c42581268acc34d703d6874acb7b430ef58e9025123bc
font_01_sfnt_off00013474.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13474 13440 bytes
SHA-256: 6016459631955a8e6106ae5ec51369437642b29ff72d632feb9f034381b5bd8b
font_02_sfnt_off00015fa5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15FA5 16164 bytes
SHA-256: e296a61d2d303e35be9e1a35631556663d2780498efa7e8f3867bf557f172fe6
font_03_sfnt_off000174bc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x174BC 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c

Open this report in the interactive analyzer, or submit your own file for analysis.