Malicious PDF — malware analysis report

Static analysis result for SHA-256 dee531e92a82e81c…

MALICIOUS

PDF

63.9 KB Created: 2020-11-12 15:12:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 66f3e000909e953ffd1be3fb093bb1c3 SHA-1: 9dd34eb8c1ef3c6e6b74974be14a8dab27d5bb19 SHA-256: dee531e92a82e81c0c6f0f9356804d5300d260551418e618c5a8bd51594776e2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that points to a suspicious domain, identified by ClamAV and ML classifiers as malicious. The document body, though heavily obfuscated, appears to be a lure related to a 'roller disco' event, likely intended to trick users into visiting the malicious URL. No scripts were extracted, but the presence of a malicious URL and high confidence threat detection suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/123?utm_term=down+and+derby+roller+disco
    • https://cdn-cms.f-static.net/uploads/4379851/normal_5f9129e60815a.pdf
    • https://cdn-cms.f-static.net/uploads/4370064/normal_5fab6d7315b95.pdf
    • https://cdn-cms.f-static.net/uploads/4417534/normal_5f9e11fa707db.pdf
    • https://gesofomudejow.weebly.com/uploads/1/3/4/3/134344239/a828c7f.pdf
    • https://mogilifus.weebly.com/uploads/1/3/0/7/130739831/059d55fbff3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/3d71df7f-bd79-4d88-b0d3-2173eba0eb3e/jaclyn_smith_christmas_tree_assembly.pdf
    • https://uploads.strikinglycdn.com/files/f51dc46c-815f-40ae-b700-45177f6a843b/5064342975.pdf
    • https://s3.amazonaws.com/divexikav/bloons_tower_defense_5_cheat_codes.pdf
    • https://s3.amazonaws.com/tejuvonixag/fulirodilu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000adf4.bin
4796767429a598a3628b3db718be9db11ecbdd86e3d89a1b1230bf2c8e00c33b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xADF4 4976 bytes
font_01_sfnt_off0000beef.bin
a466991bef77c1b146cf4b40aec2c33bbc916a2e77affde0545bd2fa7343c382		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBEEF 10988 bytes
font_02_sfnt_off0000e39d.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE39D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.