Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca6703f97ccd5ecd…

MALICIOUS

PDF

69.0 KB Created: 2021-01-06 20:35:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1fa066dd25566ef14576091759a9cbed SHA-1: 7a60caf9475d05f0ce450a6bcc7ad7e95d1579de SHA-256: ca6703f97ccd5ecda0db9ae3ff4238520dcee2ecff0f163e50da41406aa41d56
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to 'trafftec.ru', which is likely a phishing or malware distribution site. The document body, though heavily obfuscated, appears to contain text related to a game ROM, suggesting a lure to trick users into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/aws?utm_term=crash+bandicoot+1+psx+rom
    • https://cdn.sqhk.co/jakufomego/ijaighb/84992073312.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5f3dee54-91d3-49c1-9148-0add81d1ccd1/67393534787.pdf
    • https://s3.amazonaws.com/zosevid/kudilanib.pdf
    • https://s3.amazonaws.com/xijalovelokolep/japojoritodezige.pdf
    • https://uploads.strikinglycdn.com/files/0eaf89b2-3700-4f50-89c0-1889e7b4882e/32689753599.pdf
    • https://uploads.strikinglycdn.com/files/f639576f-c439-4c3d-b51f-31e6c527f01d/96097208836.pdf
    • https://s3.amazonaws.com/penale/gimagivixulej.pdf
    • https://s3.amazonaws.com/mijumomub/dpe_guidelines_for_bond_transfer.pdf
    • https://s3.amazonaws.com/sodoxi/raguxexewumas.pdf
    • https://uploads.strikinglycdn.com/files/4286b438-87af-4d9e-915f-db1c28008248/zipilezekiwewotareleri.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000ea8b.bin
eae2531dbb99cf31b87f09eafd24df302545af7bd37e129284119d8d3e8516f5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEA8B 18536 bytes
font_00_sfnt_off0000b677.bin
3abd5c88be6b795e4246bd8edbe6d0f1aa6a4a601a2971373533e29d5102853f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB677 5448 bytes
font_01_sfnt_off0000c8d1.bin
dcde0c11234959c790afd003929c3ff883930acb1f4f2fa1fb02fc5118d268cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC8D1 9736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.