Malicious PDF — malware analysis report

Static analysis result for SHA-256 021354be5b202afe…

MALICIOUS

PDF

66.6 KB Created: 2020-11-19 20:04:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1274bff9b2a05b34015fed5aa3469c0b SHA-1: 1511bc8148bed35ecb3eb31cd5be191b628a5ea5 SHA-256: 021354be5b202afedbeb1be93423e52cf6bc88be17ef27c02356e7bdd33cc027
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. It contains a critical heuristic firing for a malicious redirector link pointing to 'ggtraff.ru'. While no scripts were explicitly extracted, the PDF structure and the presence of embedded URLs suggest it's designed to lure users to a compromised site. The document body is heavily obfuscated, preventing a clear understanding of its specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?utm_term=the+rose+society+pdf
    • https://cdn-cms.f-static.net/uploads/4366317/normal_5fb25ed274045.pdf
    • https://cdn-cms.f-static.net/uploads/4455390/normal_5fafe6e8e7714.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ada8f7a5-7fae-4c66-a176-45e72745d783/singer_genie_sewing_machine_manual.pdf
    • https://uploads.strikinglycdn.com/files/a378e68a-88d2-48d8-8463-2adabc7588fd/divinity_original_sin_enhanced_edition_4_player_mod.pdf
    • https://uploads.strikinglycdn.com/files/b8462c40-f2fe-4185-a05e-f23a0e852372/android_app_to_hack_bluetooth_speaker.pdf
    • https://s3.amazonaws.com/tadovu/dragonvale_sapphire_dragon.pdf
    • https://uploads.strikinglycdn.com/files/8ea01ade-0814-42f7-a2cc-cf32cb2f1b49/92657281248.pdf
    • https://uploads.strikinglycdn.com/files/2ea538ac-9937-4c22-96a0-a9942d7540df/wubigopujeregosubon.pdf
    • https://uploads.strikinglycdn.com/files/2caea347-ec2e-476b-9051-240dcfa0f9d5/74296537388.pdf
    • https://uploads.strikinglycdn.com/files/44f57c13-31ab-40fe-971d-eb924262918a/95139866118.pdf
    • https://uploads.strikinglycdn.com/files/cc8217b2-9d8b-4645-aff6-c2ac6a94fcc4/miercoles_en_ingles_como_se_pronuncia.pdf
    • https://uploads.strikinglycdn.com/files/47d1749b-2cea-4c7e-9090-97a357b189d2/jegajifu.pdf
    • https://s3.amazonaws.com/jezaxojipevu/half_marathons_in_florida_january_2020.pdf
    • https://uploads.strikinglycdn.com/files/329ebdf0-efe9-42df-b664-8990fb0b93da/6192147286.pdf
    • https://uploads.strikinglycdn.com/files/c7428cf1-f214-4f9b-b473-b67cd524d7a9/ritam.pdf
    • https://uploads.strikinglycdn.com/files/c4c6f491-994d-4eb0-a998-28757cd695b5/15808661304.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ca3b.bin
73f7219898186b7464ffbd8c4c474c94fe1f1553e28b57601d0bb13d0d2580c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCA3B 5052 bytes
font_01_sfnt_off0000db74.bin
fbf87afe65e6a73c2604960ff0047dbc32a89595d31c9a6e115b0c24f1d29b57		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB74 10076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.