Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6a0bfbe0a13064b…

MALICIOUS

PDF

80.6 KB Created: 2020-12-02 15:22:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ab3036f23f362c06c9ad5c036a86d4b9 SHA-1: 91f8ed96dd71771130dc113f39ef6f0ffb8d9ba8 SHA-256: e6a0bfbe0a13064be5b9f52aee33198f1069279d192edea2b179e41ef5693377
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged as malicious by ClamAV and an ML classifier. It contains an embedded URL pointing to a suspicious domain, likely intended for phishing. The document body contains garbled text, suggesting it may be obfuscated or malformed, but the presence of the external URI is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/strik?utm_term=aluminum+baseball+bat+weight
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static1.squarespace.com/static/5fc116c5bdb33045eec368a4/t/5fc5ebb83570fb44d1cf33c6/1606806456487/gogitusabidu.pdf
    • https://static1.squarespace.com/static/5fc0efc3b8467722f1d478d1/t/5fc281cbe18c5c478e4cd1e9/1606582740698/43457792789.pdf
    • https://uploads.strikinglycdn.com/files/f49d4743-12c3-497a-8960-8a4e0d774e9c/parefamoralopabepowasibo.pdf
    • https://uploads.strikinglycdn.com/files/861e8814-521b-485e-b1ac-676fbd4019fc/75573166125.pdf
    • https://s3.amazonaws.com/satedafadusizo/cctv_camera_ki_full_form_batao.pdf
    • https://static1.squarespace.com/static/5fc4e20c8ef7301f8b2a786d/t/5fc522d318e72e5fdb7c327e/1606755027489/lijexukaxusefaxuxapaxopil.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbd21d6b08f4a0e85063d15/1606230487035/whats_the_plural_possessive_of_moose.pdf
    • https://s3.amazonaws.com/wujapu/84384977113.pdf
    • https://uploads.strikinglycdn.com/files/94769021-f049-4c7f-bfdf-14053acf3a0b/senejufokibolaruga.pdf
    • https://s3.amazonaws.com/rizezobabub/212-211-9859-9858_is_true.pdf
    • https://s3.amazonaws.com/tobobowu/free_me_laurelin_paige_free_online.pdf
    • https://static1.squarespace.com/static/5fbfd308239b0722912b0841/t/5fc111f02dd96f5918152d40/1606488561799/doxitoresaxaronigiwito.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fca0.bin
97710a97e7038c867bccec13771c483a0f99d958362e66834f4cd28171b2e5ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCA0 5224 bytes
font_01_sfnt_off00010e51.bin
0572e0e22340d16edeac9eaefc1ebd592860c6c3867ec23f7fa1c09859d5eef4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E51 11796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.