Malicious PDF — malware analysis report

Static analysis result for SHA-256 19c212da9dcb1fda…

MALICIOUS

PDF

92.0 KB Created: 2020-12-24 20:11:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-02
MD5: 3a4a1a49dacb4359e588133ebd5e7d8a SHA-1: d85a98a2c88c2534ec8a78fe03f98e58b512df00 SHA-256: 19c212da9dcb1fda481394d8a830a7679b22b53b6d0f2568db3f9ad460c71b97
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'traffmen.ru'. The ML classifier also strongly flagged this PDF as malicious. While no scripts were extracted, the embedded URL is the primary indicator of malicious intent, likely serving as a lure to a phishing or malware distribution site. The document body, though heavily obfuscated, contains text that appears to be a 'food guide' lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/aws?utm_term=greystones+food+guide In PDF document text
    • https://cdn.sqhk.co/daxutoxod/2ibV8hj/postknight_division_quest.pdfIn PDF document text
    • https://cdn.sqhk.co/zurosewe/SnM7qBo/city_car_driving_ps4_download_pc_windows_7.pdfIn PDF document text
    • https://cdn.sqhk.co/waximanodif/f1jjqgj/51428196548.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4424036/normal_5fad3d83afe98.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b4780c97-bd50-4531-8b5f-d18bba39d574/logelonovumegawuxibofiv.pdfIn PDF document text
    • https://s3.amazonaws.com/gofiguj/wilmington_city_schools_facebook.pdfIn PDF document text
    • https://s3.amazonaws.com/sixenogafopoj/39706103730.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/df444bbc-0000-4455-8f4c-d4fb456f2892/xijitim.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1f397008-bcf4-414a-be2f-d1853e5de39e/wilderness_navigation.pdfIn PDF document text
    • https://s3.amazonaws.com/kasuwevovog/first_mortgage_rate_sheet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/22713028-f86e-46c0-a32f-59fcca15be8a/rule_of_9s_diagram.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/281ae8a6-4cbe-44ce-af8d-0e56975ba8a6/vimofakavev.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df58.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF58 6588 bytes
SHA-256: 24fd6868f187b5667792517f9f69d22ac5a3de5011d4d3824467392effeade79
font_01_sfnt_off0000efa1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEFA1 2856 bytes
SHA-256: 6a7390c9e634f7f167841a75ffa617ce3f7010ba402b4c06ad0a47e5500b6a59
font_02_sfnt_off0000f9cb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF9CB 4968 bytes
SHA-256: 41ea6dad52bafe475ab03f08a87a620a01464185a61e11733bc72d979b7e642f
font_03_sfnt_off00010aca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10ACA 8532 bytes
SHA-256: 5ca7aa47ea25808873eee0b834fa4111a3fa1d052591114946f94cc561a499df
font_04_sfnt_off000126b4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x126B4 11300 bytes
SHA-256: e2c994b3b7d2e5ed0523b857243b02149ef566192c2135ac81f358c7d1d843af
font_05_sfnt_off00014ccf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14CCF 16236 bytes
SHA-256: 60fdebf8a4e76325f0b7815050a713fbf90e98737696651a9eac2cf643d69390

Open this report in the interactive analyzer, or submit your own file for analysis.