Malicious PDF — malware analysis report

Static analysis result for SHA-256 098501549249d187…

MALICIOUS

PDF

58.7 KB Created: 2020-11-23 13:02:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6e2847bb463aaf5faab55b4c47921aaa SHA-1: 6b4464326557f24a918597f29bab739bffbffb9c SHA-256: 098501549249d18782fc16c1ffcd821c8fa7543d679dd373604912b911148c54
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ggtraff.ru'. This URL is presented in a context that appears to be a lure related to 'neoprene rubber sheet bunnings', suggesting a phishing attempt. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?utm_term=neoprene+rubber+sheet+bunnings
    • https://cdn-cms.f-static.net/uploads/4369331/normal_5f8ed9e75125b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/lejivugeleguwod/capital_e_cursive_writing.pdf
    • https://s3.amazonaws.com/vifusupegiza/edward_said_orientalism_introduction_summary.pdf
    • https://s3.amazonaws.com/subud/advocates_remuneration_order_2014_kenya.pdf
    • https://uploads.strikinglycdn.com/files/6145ec5a-2579-4791-914d-d5966ed3bcb4/rulukomedaj.pdf
    • https://s3.amazonaws.com/bunobu/the_good_wife_parents_guide.pdf
    • https://s3.amazonaws.com/setaxilitozuko/zedeneviwuxitopefividuvi.pdf
    • https://uploads.strikinglycdn.com/files/7d88c222-e20b-4253-bfc8-f704ef31c596/dekaju.pdf
    • https://s3.amazonaws.com/jamokaroxoj/median_of_grouped_data_questions_and_answers.pdf
    • https://uploads.strikinglycdn.com/files/b5220cee-8c5a-4c85-80af-2bfb1ccbb26e/rifugugoxutapune.pdf
    • https://uploads.strikinglycdn.com/files/28bb48b1-e627-418a-9ce8-0bfc9ab83d0f/anima_beyond_fantasy_character_sheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a843.bin
cd5d193fd362fadd86c988297d35398e5bbbf5e8c52d8487aec9192a8b6dcfcc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA843 4948 bytes
font_01_sfnt_off0000b918.bin
735c7dfd6d2023df161c62ccf3ddf7a9ccee5ff48a87f9eeff25753da5e9f9ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB918 10904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.