Malicious PDF — malware analysis report

Static analysis result for SHA-256 0eea61761c5f312e…

MALICIOUS

PDF

41.2 KB Created: 2020-10-31 06:59:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ceee8613cb280d4a7fe3834c19b80918 SHA-1: 744f1e3408d7b5b5e7dc61af52ef6ec816a9cd45 SHA-256: 0eea61761c5f312e149043107c5092600db718e2bf546e205f011b574c266893
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded link that redirects to a known malicious URL, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The ML classifier also flagged this PDF as malicious with high confidence. The embedded link likely serves as a lure to download further malicious content or redirect to a phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?keyword=gi%25C3%25A1+%25C4%2591%25E1%25BA%25A5t+five+star+eco+city
    • https://cdn-cms.f-static.net/uploads/4384649/normal_5f8e55fadde71.pdf
    • https://pefopurez.weebly.com/uploads/1/3/4/3/134375846/newetafopixikoj.pdf
    • https://buxivadoga.weebly.com/uploads/1/3/0/7/130740323/kugit.pdf
    • https://veborikaja.weebly.com/uploads/1/3/4/3/134317734/birenisalos.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/susopuzupure/gisejonirolojad.pdf
    • https://uploads.strikinglycdn.com/files/234bd569-5d25-413d-94e4-6a58f5103c10/0_bl_0_belirsizlii.pdf
    • https://s3.amazonaws.com/libeganot/characteristics_of_epic_hero.pdf
    • https://s3.amazonaws.com/zuxadol/86138265863.pdf
    • https://s3.amazonaws.com/dukajevo/delelamu.pdf
    • https://s3.amazonaws.com/bepukuba/partner_steel_stove_16.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005344.bin
7a30b7412f888b0a57446c2081b8b8621afd10ddf929e3d7ba1646233459c2cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5344 5368 bytes
font_01_sfnt_off0000648b.bin
c04672ec9f875d4cda3603e22afaf53da301dd29f3083ebcaa271377d0ff48dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x648B 11044 bytes
font_02_sfnt_off0000889d.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x889D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.