Malicious PDF — malware analysis report

Static analysis result for SHA-256 034975c82dba7a28…

MALICIOUS

PDF

63.8 KB Created: 2020-11-22 00:19:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c0742def326dc36c6cdb13c8b29b2724 SHA-1: d3485564e1363ed8f9ed895c7ca893f5cb8aeb10 SHA-256: 034975c82dba7a28f6b5016c28cdd6ac826fb8069f4a7f174392973fd22856ef
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, indicating a phishing or malware distribution attempt. The embedded URL is disguised with a seemingly innocuous query parameter related to game items. While no scripts were explicitly extracted, the PDF structure and the malicious link strongly suggest an attempt to redirect the user to a malicious site, likely for phishing or to download a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?utm_term=torchlight+2+item+recipes
    • https://cdn-cms.f-static.net/uploads/4370780/normal_5f8a5bdf4474b.pdf
    • https://cdn-cms.f-static.net/uploads/4375339/normal_5fae252c4bfd4.pdf
    • https://cdn-cms.f-static.net/uploads/4371240/normal_5f8c659fc29fc.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/mesixadelomomo/slope_ball_unblocked.pdf
    • https://s3.amazonaws.com/xapota/65631203729.pdf
    • https://s3.amazonaws.com/wejalixex/bolt_size_calculation.pdf
    • https://s3.amazonaws.com/buganabowumujef/algebra_2_textbook_pearson.pdf
    • https://s3.amazonaws.com/metubevozisul/samagemalumi.pdf
    • https://s3.amazonaws.com/dazemi/73035142700.pdf
    • https://uploads.strikinglycdn.com/files/46112b1e-955c-4a0d-86cc-ba66bfa67a45/93644066968.pdf
    • https://s3.amazonaws.com/henghuili-files/buddha_story_in_kannada.pdf
    • https://s3.amazonaws.com/jebokizez/fazip.pdf
    • https://s3.amazonaws.com/memul/pata_vs_sata_vs_ide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bc9a.bin
1cc0cc69cea1b0ec54a61e6e7643daa9f3a631c8f5fc62bfe3410580c944c24f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC9A 5216 bytes
font_01_sfnt_off0000ce37.bin
bd022bbab32c24f6de9072da4545e52fcbcf3ff49c9d2e869f5dd82550a1284c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE37 10688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.