Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1d1c00892d62cee…

MALICIOUS

PDF

207.2 KB Created: 2020-12-03 17:23:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: beeb3f4b80fb86047993f72b2350ff6f SHA-1: 13f07a9105dd74c17b2700881585f3b37cfe485c SHA-256: b1d1c00892d62ceed9c071cc0a61ec396f40ed16279d6a2b531b435d7c22125c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to 'trafffi.ru', which is likely used for phishing or to download further malicious content. The document body, though heavily obfuscated, contains text related to 'Minority Report 2 synopsis' and the authoring application 'wkhtmltopdf', suggesting a social engineering lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/aws?utm_term=minority+report+2+synopsis
    • https://cdn-cms.f-static.net/uploads/4369160/normal_5f90740511930.pdf
    • https://cdn-cms.f-static.net/uploads/4368235/normal_5f947b9e608f5.pdf
    • https://cdn-cms.f-static.net/uploads/4388283/normal_5fad76c9cc004.pdf
    • https://fagugirawax.weebly.com/uploads/1/3/4/3/134388021/1674872.pdf
    • https://xavozunop.weebly.com/uploads/1/3/4/3/134305705/vazisinotevej_sowurug_gemexejuzafu.pdf
    • https://duzigavejad.weebly.com/uploads/1/3/4/5/134513143/7305549dd9a9f.pdf
    • https://gejatovuri.weebly.com/uploads/1/3/1/4/131406669/dexanavitusami.pdf
    • https://dufavepuxafolim.weebly.com/uploads/1/3/4/2/134266173/ee8dcb.pdf
    • https://cdn-cms.f-static.net/uploads/4393029/normal_5fb2cce7bbdb4.pdf
    • https://cdn-cms.f-static.net/uploads/4471114/normal_5faac9e46f736.pdf
    • https://munuteme.weebly.com/uploads/1/3/4/8/134862418/gumiv_ludeti_badula_sudijadidipi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002e927.bin
f8b9312015dc855588350ff30855bb47990b069d6371e98a208a04eba59d1e8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E927 4596 bytes
font_01_sfnt_off0002f8e1.bin
ac09639d81555d9fb63583d101f0c0f2802cb0f8e5eff87d6a5da51f97367a77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F8E1 11724 bytes
font_02_sfnt_off000320c3.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x320C3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.