PDF malware analysis — malicious · a25345f9f6f79461

MALICIOUS

PDF

73.5 KB Created: 2020-11-10 11:31:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d512475f781ca826e50b7f580a6bf761 SHA-1: 5bfadbdf0f8800e736932a6b6b2db0075adbb534 SHA-256: a25345f9f6f794614ecafd6b863a94946c6d7cf5985fbf450766615dbc279aea

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by ClamAV as a phishing trojan and by an ML classifier with high confidence. It contains an embedded URL pointing to 'traffset.ru', which is likely used to deliver a malicious payload or redirect the user to a phishing site. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of the malicious URL and the detection verdicts strongly indicate a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffset.ru/aws?keyword=sprint+commercial+2020
- https://cdn-cms.f-static.net/uploads/4478655/normal_5fa80395c67ae.pdf
- https://cdn-cms.f-static.net/uploads/4412573/normal_5f9497d8025a5.pdf
- https://cdn-cms.f-static.net/uploads/4368218/normal_5f8b4947e62bf.pdf
- https://cdn-cms.f-static.net/uploads/4404755/normal_5f953abd4ad5c.pdf
- https://cdn-cms.f-static.net/uploads/4366676/normal_5f88b50e7d5d2.pdf
- https://cdn-cms.f-static.net/uploads/4386597/normal_5f9387021f5b4.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/f8f67ba0-5972-4fb2-b8c5-b3b4d8f44920/74792075986.pdf
- https://uploads.strikinglycdn.com/files/b8290d1b-916f-4101-82ca-af6e5523c00c/11948553989.pdf
- https://s3.amazonaws.com/libeganot/first_internet_bank_mortgage_reviews.pdf
- https://s3.amazonaws.com/lekizopiloref/translate_relampago_from_spanish_to_english.pdf
- https://uploads.strikinglycdn.com/files/c1496721-21b2-49e4-bca8-ede52bfa8e3d/38624624454.pdf
- https://uploads.strikinglycdn.com/files/49320b4c-9f08-40f4-ad52-187059d318a3/10.2_graphing_square_root_functions_answers.pdf
- https://uploads.strikinglycdn.com/files/0d391850-9190-41d2-9165-d55ac8eb813d/37680597630.pdf
- https://uploads.strikinglycdn.com/files/cd77e3a1-b1b5-4af9-9208-e2272f4c1aac/9005083283.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e317.bin` `a6e56fb367f6d7632dddfc573d9410fba8ee269de24e9a5a1cf4d7d31697049e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE317	5280 bytes
`font_01_sfnt_off0000f4f4.bin` `5a65b1ec7c433d05870decb83d50258766750989ed5e704788cf14819c7748ee`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF4F4	10680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.