Malicious PDF — malware analysis report

Static analysis result for SHA-256 112c84200ad89ffe…

MALICIOUS

PDF

44.6 KB Created: 2020-11-05 17:03:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7d19e7be73dea294d9d745d3b6b65841 SHA-1: 7ac2b3e5dbbadc5477c43703745b7386833579bc SHA-256: 112c84200ad89ffee3faad8f644d448a64d4b5d439570780685a9015efe6ffd9
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link identified as a malicious redirector, pointing to 'https://traffmen.ru/aws?keyword=donkey+costume+for+kids'. This suggests the document is designed to trick users into visiting a malicious site, likely for phishing or to download further malware. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/aws?keyword=donkey+costume+for+kids
    • https://cdn-cms.f-static.net/uploads/4379849/normal_5f9c35b2cf562.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/f513d1df-df2f-49cf-b7c7-a1b3fafb77e8/lujizumunobisumorulunadeb.pdf
    • https://s3.amazonaws.com/gupuso/abordagem_cognitivo_comportamental.pdf
    • https://uploads.strikinglycdn.com/files/7570c03a-2430-48f7-a244-08ffe02b9d20/fumevi.pdf
    • https://uploads.strikinglycdn.com/files/e5559036-caa5-4963-aee4-fd94e1003fce/the_dance_space_cf.pdf
    • https://s3.amazonaws.com/regegozumekoza/territory_war_3_unblocked_66.pdf
    • https://s3.amazonaws.com/sizadagazagaj/59835378799.pdf
    • https://s3.amazonaws.com/tosevud/lozujisularit.pdf
    • https://s3.amazonaws.com/jafujasiwetid/vindictive_bastard_pathfinder.pdf
    • https://s3.amazonaws.com/kabisebax/91891769800.pdf
    • https://s3.amazonaws.com/waxapoz/xakufijapijikoviresereg.pdf
    • https://s3.amazonaws.com/wefadep/chicago_title_land_trust_company.pdf
    • https://uploads.strikinglycdn.com/files/8bf139e2-fa84-45bc-8e4f-a270be01e966/38527949939.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063bf.bin
10301c0f6e3c1b10d9f78437401c29540bc7a2e2655e82e74e8ccaf65b0055b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63BF 4972 bytes
font_01_sfnt_off0000749e.bin
f522d2307bce66cdfa14cf0d9e9b012ac23749e14a3307d79f25a3f4a97370fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x749E 10460 bytes
font_02_sfnt_off000097ef.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97EF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.