Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f4f9ba1060bd7cc…

MALICIOUS

PDF

64.4 KB Created: 2020-11-17 00:24:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9ae495d91ec8d1fb47ec4f14e1b38d07 SHA-1: 1bbc1e688d719b84176f9267334f6b2bc591a1dd SHA-256: 9f4f9ba1060bd7cc0d61e994c9bef0a5b16f020341c04469548224c0480d76ed
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by a ML classifier and ClamAV, specifically flagged as 'Pdf.Phishing.Trojan'. It contains an external URI pointing to 'traffset.ru', which is likely a malicious download or phishing site. The document body, though heavily obfuscated, suggests a lure related to a 'historical-cultural commentary of the bible'. No scripts were extracted, but the presence of an external URI and the phishing classification strongly indicate an attempt to deliver a secondary payload or phish credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=coment%2525C3%2525A1rio+hist%2525C3%2525B3rico-cultural+da+b%2525C3%2525ADblia+pdf
    • https://cdn-cms.f-static.net/uploads/4409630/normal_5fa0940f6cc63.pdf
    • https://cdn-cms.f-static.net/uploads/4374368/normal_5f95b10d8593f.pdf
    • https://cdn-cms.f-static.net/uploads/4485578/normal_5fa9c6ba2da26.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5b5e1879-e902-4dc1-bfb3-ff9b9b2a1985/xijiju.pdf
    • https://uploads.strikinglycdn.com/files/8e3a8301-54b9-4b18-a2e8-3b88fcc72027/xasodo.pdf
    • https://uploads.strikinglycdn.com/files/326eee68-f29a-474c-a825-07eac3d42091/rugogokigelonotugixudegu.pdf
    • https://uploads.strikinglycdn.com/files/c237ae98-7ea1-4ae7-9c07-802ec7a53798/baluxorojazefepolawiv.pdf
    • https://uploads.strikinglycdn.com/files/7c93c7a5-e747-4730-acb0-ecd31ced0c6c/tororuxe.pdf
    • https://uploads.strikinglycdn.com/files/1f18a172-9b57-4fb1-a7ee-6dd467fe6676/seduce_meaning_games.pdf
    • https://uploads.strikinglycdn.com/files/ee9aa148-4e69-428b-bba4-c976b1202f2c/68751590537.pdf
    • https://uploads.strikinglycdn.com/files/97d3d1bc-cf46-461b-ad15-5f396c101e0b/lilupinaranekefibor.pdf
    • https://uploads.strikinglycdn.com/files/b067d317-76c6-44f0-a488-c29e7f09d2cb/watsons_go_to_birmingham_chapter_questions.pdf
    • https://uploads.strikinglycdn.com/files/10eb788a-a03d-4bd1-9532-db222df78fe3/nutrition_information_carrot_cake_slice.pdf
    • https://uploads.strikinglycdn.com/files/2bbf300f-2aeb-4370-ba00-4d1a4c5c46f5/fijopanobol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b0f6.bin
d9eb4a6120ea016b30114cb131a3221ed83c26ec4383e7d40e50d43a01dc9751		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB0F6 2864 bytes
font_01_sfnt_off0000bb28.bin
6309a1d881c18a0c23a052a98e6a25d091edc876bbecb1202908ea77eaeba62d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBB28 5896 bytes
font_02_sfnt_off0000ce29.bin
251e318a7b07d911faa74ea3492d025ab861320033fb0a87ba1684e88b693fcb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE29 10472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.