Malicious PDF — malware analysis report

Static analysis result for SHA-256 08cf2670b0fed9df…

MALICIOUS

PDF

39.7 KB Created: 2020-11-03 12:06:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c9b6363127d8f66e2de68358ca25dbfb SHA-1: 1d33df1ac92bce94196472590d713101cb469fd8 SHA-256: 08cf2670b0fed9df6a860a80b5f2b9b1da8a477bc6ec9e99dbc509a69fbf1fec
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link disguised as a 'Liftmaster garage opener manual' which redirects to a known malicious URL. The ML classifier strongly flagged this PDF as malicious, and the PDF_MALICIOUS_REDIRECTOR_LINK heuristic confirms the presence of a malicious redirector. The embedded URLs and document structure suggest a phishing or redirection attempt to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?keyword=liftmaster+garage+opener+manual
    • https://cdn-cms.f-static.net/uploads/4384029/normal_5f9995d0edff5.pdf
    • https://ninukiwipovesot.weebly.com/uploads/1/3/0/9/130969879/74ae5439bbe84.pdf
    • https://jalewigevat.weebly.com/uploads/1/3/2/6/132681207/rilora.pdf
    • https://cdn-cms.f-static.net/uploads/4369331/normal_5f8b74f8cfb61.pdf
    • https://farupixin.weebly.com/uploads/1/3/4/3/134314126/vojirebowus_gaxuligoxirewo.pdf
    • https://winomumamo.weebly.com/uploads/1/3/1/0/131070375/xekovedowufa.pdf
    • https://dopikilazobowu.weebly.com/uploads/1/3/4/4/134488506/pedoguvil_gawatorafuse.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/49b2865f-7aa2-4a1c-9aa7-5e1aaf08214d/97757192232.pdf
    • https://s3.amazonaws.com/solonebosop/44689009503.pdf
    • https://uploads.strikinglycdn.com/files/752b299f-1ed6-4cc8-9908-8f7f005fb708/bapagipapidokavegavubak.pdf
    • https://uploads.strikinglycdn.com/files/cfbf0eb5-8b0f-4943-8675-1cf8e7212a75/warum_hat_hardi_pietsmiet_verlassen.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005eac.bin
dd57a48c17abf609d0b0f239632ae06ff744205fd002c713846a574bf1897470		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EAC 5164 bytes
font_01_sfnt_off0000702a.bin
5805b1e08339c95c407e51f290ccf8ee4c7b5254435d9ddd86f08147c17e1136		 pdf-font-stream PDF embedded font (sfnt) at offset 0x702A 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.