Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0ba25650a5e230a…

MALICIOUS

PDF

68.3 KB Created: 2020-12-17 06:39:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f4366e54e2fb4cc1700347a4c9fbd99 SHA-1: 17377ae75334764cbb638c867360107edeb1fcc9 SHA-256: a0ba25650a5e230a7f72f2b7bf2635205eee98a9cf74398d1e134b44b1e286cc
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL pointing to a suspicious domain, identified by ClamAV as a phishing trojan. The ML classifier also strongly indicated maliciousness. While no scripts were directly extracted, the presence of an external URI and the overall detection profile suggest an attempt to redirect the user to a malicious site, likely for phishing or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/123?utm_term=translating+grandfather%2527s+house+essay
    • https://cdn-cms.f-static.net/uploads/4374848/normal_5fa5d0ab15f2c.pdf
    • https://cdn-cms.f-static.net/uploads/4443354/normal_5fc1a6a8d93d1.pdf
    • https://cdn-cms.f-static.net/uploads/4458431/normal_5fa15040aaf09.pdf
    • https://cdn-cms.f-static.net/uploads/4380857/normal_5f8e25beb91dd.pdf
    • https://cdn-cms.f-static.net/uploads/4381321/normal_5f8fc99c9d40d.pdf
    • https://cdn-cms.f-static.net/uploads/4371246/normal_5fd7955dad3c2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f55ec5f8-5287-42b1-9402-c6b5340a61ff/48946789680.pdf
    • https://uploads.strikinglycdn.com/files/a1def354-45fc-4e83-a264-aae3186d1f2b/go_math_lesson_6.1_answer_key_grade_5.pdf
    • https://uploads.strikinglycdn.com/files/2c48dc77-3b7f-4407-b329-4815a52dd149/jixovedelegawisose.pdf
    • https://static1.squarespace.com/static/5fc5bce68787e879898d1666/t/5fce31d06f0099009e8ee131/1607348690654/blue_koala_stitch_stickers_for_whatsapp.pdf
    • https://static1.squarespace.com/static/5fc1cdd0ec917750a3de3367/t/5fcae1831ef6d1662fe35232/1607131527130/vifovuvovefulak.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce74.bin
92d9198a4393bfe4378e699bb10fd8eff9e6d5e72afcefd213040e4d57e9bfe9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE74 5256 bytes
font_01_sfnt_off0000e059.bin
6615218d89a28e39d5da17d4ff9f06004d122f52579eb061823c7a6805f4538f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE059 10544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.