Malicious PDF — malware analysis report

Static analysis result for SHA-256 db8921c6d8441586…

MALICIOUS

PDF

65.2 KB Created: 2020-11-12 20:20:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 059e931263da1e599fae8f3d9433c3d6 SHA-1: 7b9d7d65a08aa89a1f864a2dd27dfb461895ca71 SHA-256: db8921c6d8441586c6fd9ec2f13ebc95150f04fe11c3a702ad9bc4721c0e02f4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing attempt. It contains an embedded URL pointing to 'traffine.ru', disguised as answers for a vocabulary workshop. While no scripts were directly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site, likely for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/strik?utm_term=vocabulary+workshop+level+f+unit+4+synonyms+antonyms+answers
    • https://cdn-cms.f-static.net/uploads/4378165/normal_5f8c9b086e7a2.pdf
    • https://rixijufufapug.weebly.com/uploads/1/3/4/4/134497528/tabesotuzutabamak.pdf
    • https://cdn-cms.f-static.net/uploads/4412165/normal_5fa18203e1009.pdf
    • https://cdn-cms.f-static.net/uploads/4420237/normal_5fa6fffd763ff.pdf
    • https://cdn-cms.f-static.net/uploads/4414682/normal_5fab92772dfc2.pdf
    • https://cdn-cms.f-static.net/uploads/4379626/normal_5f9b86a2df3dd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/77996d82-e479-443d-bf55-a3bcf8263d1b/93558102072.pdf
    • https://uploads.strikinglycdn.com/files/135dfd15-bd73-4a54-b542-ead77d67ed9f/padoxoviviregewibate.pdf
    • https://uploads.strikinglycdn.com/files/ba7503bb-5e2c-422e-bd82-cb762a8c67c8/nidewekake.pdf
    • https://s3.amazonaws.com/nitidadufetenu/jowixijutikijo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c111.bin
3cf63cd29263afe96a31b2ef41ccc01fb1855d3facc44bc77397c1f00aebcf94		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC111 5764 bytes
font_01_sfnt_off0000d4af.bin
37f14d31931210e068ab1c661542a39a43d1bf5205a35c374fc912553da5eb00		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4AF 10396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.