Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff0e89a0bbb5bb96…

MALICIOUS

PDF

67.2 KB Created: 2020-12-14 12:03:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ce5bacbb6e39c6fffce4a598e9b1603 SHA-1: 9cc0634f97118d927c8c05f63e7f0abf1f4df6a9 SHA-256: ff0e89a0bbb5bb96bcb16a300f1e295540d45eab65ea832bbbc3da90dc15d8ae
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF document employs social engineering lures, specifically impersonating cloud document sharing services and prompting the user to install browser extensions or updates. This is a common tactic to trick users into downloading and executing malicious payloads or divulging sensitive information. The presence of an external URI pointing to 'trafffi.ru' suggests a potential command and control or download server.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Cloud document impersonation lure medium SE_CLOUD_DOC_LURE
    Document impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/123?utm_term=beetlejuice+2+google+drive
    • https://cdn-cms.f-static.net/uploads/4377697/normal_5fc19d1bbdc76.pdf
    • https://cdn-cms.f-static.net/uploads/4448337/normal_5fae578cade7c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b8f09d14-7acd-44f5-bcd7-8576dd211e78/visit_pirate_camps_map.pdf
    • https://static1.squarespace.com/static/5fc6783427a199023adb956e/t/5fd609cc034a586a4f39bcc6/1607862732768/amharic_bible_for_mac.pdf
    • https://uploads.strikinglycdn.com/files/af9cff1c-6e4b-4721-b82d-cb870905208f/74597843013.pdf
    • https://static1.squarespace.com/static/5fc6d63eb2e29c7ba9901a48/t/5fd7372d3ebe0416317a5718/1607939886794/chiang_kai_shek_college_uniform.pdf
    • https://s3.amazonaws.com/davawina/civil_engineering_reference_manual_16th.pdf
    • https://uploads.strikinglycdn.com/files/4832353a-c802-4c47-987a-e4395ac2e469/black_beatles_mp3_download_naijaloaded.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbdfe191972c46e3c657270/1606286873413/segment_addition_postulate.pdf
    • https://s3.amazonaws.com/kezemiradigu/legal_advice_online_chat.pdf
    • https://uploads.strikinglycdn.com/files/ba0be1fb-6538-4e1f-acd8-95b4c7993649/disney_plus_error_code_39_xbox.pdf
    • https://static1.squarespace.com/static/5fc4bfca24b06a7eb3181a05/t/5fd20b23133bcb3b88a3f4a4/1607600933873/siegefall_java_game.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe0daf6457125654018491/1606290863194/grossmont_college_canvas_support.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cd12.bin
98f21431eb68c0acfb1f03a05b9ae1556feccce0ba543dd234394d2f11b01935		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD12 5036 bytes
font_01_sfnt_off0000de58.bin
58e4b726a72acda2a1e8ae272496f3bc8cb326605be0152d1a9b070bf04da326		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE58 9876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.