Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd09c9ee4c21af79…

MALICIOUS

PDF

50.6 KB Created: 2020-11-09 19:17:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 840c29e5dc7e00efb771468cc5061ec8 SHA-1: ea84e18b682c67a7ce78e165f39190c9e4a439f0 SHA-256: dd09c9ee4c21af79342fccf76f68e046cfda2aeab312c276d539bb38be031cb6
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to 'traffset.ru', which is likely a phishing or malware distribution domain. The document body, though heavily obfuscated, contains references that suggest a lure related to the 'Grinch' movie.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7962

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?keyword=grinch+film+romana
    • https://cdn-cms.f-static.net/uploads/4407756/normal_5f93c05d1e74a.pdf
    • https://cdn-cms.f-static.net/uploads/4380403/normal_5f975ee4f390f.pdf
    • https://cdn-cms.f-static.net/uploads/4459036/normal_5fa3e66270829.pdf
    • https://cdn-cms.f-static.net/uploads/4374715/normal_5f9120394d953.pdf
    • https://cdn-cms.f-static.net/uploads/4421056/normal_5fa6fe2b5b603.pdf
    • https://cdn-cms.f-static.net/uploads/4371806/normal_5fa1a20f1af53.pdf
    • https://cdn-cms.f-static.net/uploads/4379839/normal_5f924f96d8da5.pdf
    • https://cdn-cms.f-static.net/uploads/4366024/normal_5f8dc4c8c80b5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e3545e00-e8b5-44f2-bd8b-c5ea3fe1ad4e/23239527662.pdf
    • https://uploads.strikinglycdn.com/files/089c585b-8025-48cf-835a-d0965d77fedc/79202840676.pdf
    • https://uploads.strikinglycdn.com/files/b2e9cebf-700f-4cb6-bb8e-4648c685911c/princes_of_the_apocalypse_5e_download.pdf
    • https://uploads.strikinglycdn.com/files/734d2049-216d-410a-82c2-d6600509c6b9/dakofekikeluminewuravu.pdf
    • https://uploads.strikinglycdn.com/files/e5c143f3-0726-415c-85b0-5090ef5c5ac3/kowarajawuborosaf.pdf
    • https://uploads.strikinglycdn.com/files/446e2361-3129-40df-9e3f-b29e2cc69b7a/41984879626.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b0bc.bin
d067309415fdeaee3f850a74f448170fe1f7553c33f486673c5983be8eb5d485		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB0BC 4972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.