Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa8230ce8fa39ff0…

MALICIOUS

PDF

57.6 KB Created: 2020-11-24 23:20:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9e29b999c5e2bea466be1e6c28d2e3d3 SHA-1: 16c16ebf90914f0a8bc46449284c0e4c0ce6dac0 SHA-256: aa8230ce8fa39ff00d31b06df81e10f80fe988e109235bf1f706f040fd46738a
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URI pointing to 'trafffe.ru', which is likely a malicious domain used for phishing or malware distribution. The document body, though heavily obfuscated, suggests a lure related to 'Estudio de alabanza y adoracion pdf'. No scripts were extracted, but the presence of an external URI and the malicious verdict strongly indicate a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7768

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/strik?utm_term=estudio+de+alabanza+y+adoracion+pdf
    • https://cdn-cms.f-static.net/uploads/4490519/normal_5fb79e7cb8450.pdf
    • https://cdn-cms.f-static.net/uploads/4366022/normal_5f86f8cc94453.pdf
    • https://jomopejizudo.weebly.com/uploads/1/3/4/6/134664487/wajafinow.pdf
    • https://cdn-cms.f-static.net/uploads/4387565/normal_5fbc8db000de7.pdf
    • https://zimiduninu.weebly.com/uploads/1/3/1/6/131637103/6843763.pdf
    • https://cdn-cms.f-static.net/uploads/4366007/normal_5fada1f822716.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ce212d10-4629-442f-a595-4fe4dea4de25/10326154068.pdf
    • https://uploads.strikinglycdn.com/files/d2c47421-034a-4040-857e-d6e450217f4a/agave_hair_treatment_near_me.pdf
    • https://uploads.strikinglycdn.com/files/6b7f30f6-1026-42d3-b255-12e4984e8f95/copenhagen_burnout_inventory.pdf
    • https://uploads.strikinglycdn.com/files/c36477bd-b880-4c1e-b24e-e3369435da6c/jimixus.pdf
    • https://uploads.strikinglycdn.com/files/e6192af1-ac3f-4284-9675-edb53ba4a32d/effects_of_radiation.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c6a8.bin
597fe8f6074e2189af607bea34ecc960bb3b89953c765ec6952ffd626563675f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC6A8 5396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.