Malicious PDF — malware analysis report

Static analysis result for SHA-256 b309ac3469d9ac64…

MALICIOUS

PDF

67.0 KB Created: 2020-12-23 01:17:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f957fda5b4b03b4462e15a42b7b99a28 SHA-1: 4e7524db470322a1e51d7a955c81ec720f2d511c SHA-256: b309ac3469d9ac64e3af56103126cab2ffd06e05f3b6341273e63109986ca6f9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by multiple heuristics and a machine learning classifier as malicious. It contains an embedded URI pointing to 'traffset.ru', which is likely a phishing or malware distribution site. The ClamAV detection name 'Pdf.Phishing.Trojan' further supports this assessment. No scripts were extracted, but the presence of an external URI in a malicious PDF strongly suggests an attempt to redirect the user to a harmful resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=swiss+time+to+cst
    • https://cdn-cms.f-static.net/uploads/4380411/normal_5f93e8764c7a6.pdf
    • https://cdn-cms.f-static.net/uploads/4417815/normal_5fdbfb6f1b13c.pdf
    • https://cdn-cms.f-static.net/uploads/4417413/normal_5fd194b5bd33a.pdf
    • https://lijujizakivim.weebly.com/uploads/1/3/4/6/134634855/zexobevusutat.pdf
    • https://netulomite.weebly.com/uploads/1/3/2/8/132814473/bajusafofa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/c32dd677-6709-4043-a133-17a8060266ec/rotevejuwezedik.pdf
    • https://s3.amazonaws.com/gafedupeba/hanger_2_unblocked.pdf
    • https://uploads.strikinglycdn.com/files/e211ee6e-1313-4080-9eda-dd2b84b595bc/lista_de_conjunciones_en_espanol.pdf
    • https://uploads.strikinglycdn.com/files/8430569b-87c5-4322-b21e-5c4c9dcf2798/the_amazing_spider_man_apk_mod_unlimited_coins.pdf
    • https://s3.amazonaws.com/gofiguj/hitman_4_blood_money_free_utorrent.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bb74.bin
55659b1b6c9765a65fa60a136d0e467c1347b4ea690fd16062b0dc91094081b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBB74 4484 bytes
font_01_sfnt_off0000cabe.bin
6d914f4e3c5cdefad7f6d16ac81e5d0fa3aa1695edb157f92002520f55fedbb2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCABE 12576 bytes
font_02_sfnt_off0000f170.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF170 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.