Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee734844f654e42c…

MALICIOUS

PDF

64.0 KB Created: 2020-11-17 14:42:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 448901a4b50a7a61d175deeb12cd8cb4 SHA-1: e051104e36c98d15927f4efb0d8078996a2c9476 SHA-256: ee734844f654e42c76b8a06b3b48a1e83dbc0790d349d6e73f40d62b5267c407
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by multiple security tools as malicious, including ClamAV and an ML classifier. It contains an embedded URI pointing to 'trafftec.ru', which is likely a phishing or malware distribution domain. The document body, though heavily obfuscated, suggests a lure related to a 'guide official dark souls 3 pdf', indicating a social engineering attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9695

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/strik?utm_term=guia+oficial+dark+souls+3+pdf
    • https://cdn-cms.f-static.net/uploads/4369519/normal_5fa80c836d197.pdf
    • https://cdn-cms.f-static.net/uploads/4381104/normal_5faadfb244cc2.pdf
    • https://cdn-cms.f-static.net/uploads/4367922/normal_5f88f027f2d37.pdf
    • https://cdn-cms.f-static.net/uploads/4451229/normal_5fb28190334a0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9be662ee-2034-41b5-a55e-abe02a65c007/21086056082.pdf
    • https://uploads.strikinglycdn.com/files/1cae95b3-46df-4fd5-b416-c1001f941c1a/i3_lewis_structure_molecular_geometry.pdf
    • https://uploads.strikinglycdn.com/files/b21bfd92-449c-4985-bcac-12429a7e0f5b/zapetexunoxuja.pdf
    • https://uploads.strikinglycdn.com/files/9214244a-bf98-420d-944c-7a63c6ec7c92/derozop.pdf
    • https://uploads.strikinglycdn.com/files/b31a464d-f2ef-4d14-9ac4-3a8d1cc3b8ea/fibibezumi.pdf
    • https://uploads.strikinglycdn.com/files/70e2274b-bac0-4073-90b4-08e315c29056/81490824880.pdf
    • https://uploads.strikinglycdn.com/files/3f1a2f19-63a1-489f-9c41-b63bcf051f28/region_26_orchestra.pdf
    • https://uploads.strikinglycdn.com/files/33b403a4-a6e8-4f52-9263-c388153f4bf0/65257105767.pdf
    • https://uploads.strikinglycdn.com/files/8544e92c-e983-4569-9558-4482fa6881a5/murray_and_peter_controversy.pdf
    • https://uploads.strikinglycdn.com/files/cdaf978b-3a36-4b2e-8efb-521dde1f87be/kanye_west_yeezus_zip.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d8a6.bin
476b27ff5d8600d5f3bb2e567240beca82b0ee53f22e54bbf71e56b290b4a75d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD8A6 5408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.