Malicious PDF — malware analysis report

Static analysis result for SHA-256 0fd3dd04820e0929…

MALICIOUS

PDF

66.8 KB Created: 2020-12-17 00:30:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b0ef4ee8772cabced119800f007de0d SHA-1: 77a0fde5793910971c17210532559a7b20a8b7ea SHA-256: 0fd3dd04820e09295ab5aa312220bad426797c8bcaf0e1145ceb851c70fbe1ec
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is a malicious redirector, linking to a known malicious domain. The ML classifier also strongly flagged this PDF as malicious. The embedded URL is designed to impersonate a school Ofsted report, likely to trick the user into clicking the link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/aws?utm_term=calderstones+school+liverpool+ofsted+report
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3de527e8-3fd9-4650-b113-c3549f89b373/xasibixi.pdf
    • https://s3.amazonaws.com/gofilafixu/canicula_norma_cantu.pdf
    • https://static1.squarespace.com/static/5fc0b633d26ff1194f72bba3/t/5fc237eebc819f1cf4225b9e/1606563823480/87195255122.pdf
    • https://uploads.strikinglycdn.com/files/da06e585-010c-401f-a4c3-e0813c4b12c0/fipoz.pdf
    • https://s3.amazonaws.com/votubukaxogilix/yuki_japanese_restaurant_portland.pdf
    • https://s3.amazonaws.com/senodiw/kanchipuram_temple_photos.pdf
    • https://uploads.strikinglycdn.com/files/0147c51c-2fa2-4924-a63e-d7c8c1218eaa/96458289791.pdf
    • https://s3.amazonaws.com/bidivo/emulator_games_mac.pdf
    • https://uploads.strikinglycdn.com/files/f45c3703-48aa-4e30-b509-3f173b59fa77/wolf_tv_show.pdf
    • https://uploads.strikinglycdn.com/files/bbce3382-6e96-49f6-b71c-b6a508a9a512/13713382808.pdf
    • https://uploads.strikinglycdn.com/files/fc6dd2fc-f2ba-4f04-9a06-cd3b16edf441/gawurirexova.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c506.bin
8a27ce307be80f9139093854123e00ae9ec3f2c4942ddb69006da3aec22e2af7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC506 5208 bytes
font_01_sfnt_off0000d6bc.bin
bdce95d6d18bd9c1293f2975521dc71a84dd7de0fdbbbcf8dd8d6551fd4533e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6BC 12464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.