PDF malware analysis — malicious · ae003278a8acb519

MALICIOUS

PDF

64.7 KB Created: 2020-12-20 07:26:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d89420398eef1f1bc7cea8d4dfd5466b SHA-1: 74ec4bf1c1823f257f90922b12b7a09fa24b1d0c SHA-256: ae003278a8acb51961367f0d80a46a39fe90379c37d5098275ab7d40ed3ae000

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URI pointing to a suspicious domain, traffnew.ru, which is likely used for phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and the presence of external URIs suggest an attempt to redirect the user to a malicious site.

Machine Learning

Nyx PDF Classifier malicious score 0.9995

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffnew.ru/strik?utm_term=carbon+nmr+shifts+solvents
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fdec22607af9e0e16fda9dc/t/5fdece6f6a6ad7222f214e57/1608437362163/revajakunekerunibirevigi.pdf
- https://s3.amazonaws.com/gurowozenupifi/another_love_story_naa_song.pdf
- https://static1.squarespace.com/static/5fc5dd828139af0376671f14/t/5fd1fbb60f163860c7b364c1/1607596983447/74779174745.pdf
- https://s3.amazonaws.com/guxosa/jirixojotinolejorere.pdf
- https://static1.squarespace.com/static/5fc12a77be9b6939510c7598/t/5fc8d3226031f4738628f88a/1606996770974/cake_maker_story_game_online.pdf
- https://s3.amazonaws.com/bagisi/apartment_lease_transfer_agreement_template.pdf
- https://static1.squarespace.com/static/5fdcabe2a35cfe5f3c796ebc/t/5fdd22ad6c54dc36cd6f4257/1608327854450/lisan_ul_quran_answer_book.pdf
- https://uploads.strikinglycdn.com/files/e429aa3b-0ca2-4330-bd22-962e8f9c0077/living_without_money_australia.pdf
- https://static1.squarespace.com/static/5fdd52f8c2d4633280e99069/t/5fdd7d45ef735726d2468b6e/1608351046439/ionic_app_stuck_on_splash_screen_android.pdf
- https://s3.amazonaws.com/bupijila/89894124834.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ae64.bin` `f9f08451dbfb6808d0012aea62aaa2ea302b042a84993bf56b4cafc0e3e79cae`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAE64	5112 bytes
`font_01_sfnt_off0000bf9e.bin` `e239306c6dbe2ec6a90ca84bd93c157434a888273a1580fd2c59b4d915cdafa9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBF9E	9692 bytes
`font_02_sfnt_off0000e108.bin` `b91ebbfc40a94f10b2fcfc4d08542e4cd4fc38dcff43bcfefe5d572695fcce17`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE108	16160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.