Malicious PDF — malware analysis report

Static analysis result for SHA-256 1bc1bb060419f9b5…

MALICIOUS

PDF

69.8 KB Created: 2020-11-11 07:58:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 68451307517036b3b91a0c72397739f0 SHA-1: dc12098b0443b73eecb926b623a34ee25ce28bb8 SHA-256: 1bc1bb060419f9b5e4f328ab0d9ced0d9185db0f420813c5ba727fd354f68347
234 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by multiple heuristics, including a critical alert for linking to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains keywords related to a phone battery pack, suggesting a lure. The presence of numerous embedded links, including one pointing to a known malicious redirector, indicates an attempt to direct users to malicious sites for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/123?keyword=phone+battery+pack+bt18433 In PDF document text
    • https://togitarusufojir.weebly.com/uploads/1/3/2/6/132681229/1390557.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386079/normal_5f969f6020f6e.pdfIn PDF document text
    • https://tenikekiso.weebly.com/uploads/1/3/0/7/130775729/6587526.pdfIn PDF document text
    • https://mibakadediwo.weebly.com/uploads/1/3/4/5/134584598/1092498.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451210/normal_5fa29f3c1b911.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/kavitokolezub/fewesadolebudefomer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a2d0151e-9186-4707-bc50-70b1d3a05911/xutidurafijetufagik.pdfIn PDF document text
    • https://s3.amazonaws.com/dudurat/30107218299.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/232657c0-77c5-4a8d-a4eb-1f36aef5f9f5/4.4_puzzle_time_answers_did_you_hear_about.pdfIn PDF document text
    • https://s3.amazonaws.com/xisefowu/58940182086.pdfIn PDF document text
    • https://s3.amazonaws.com/memul/27504541095.pdfIn PDF document text
    • https://s3.amazonaws.com/gizonukorad/pakukobug.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/076d51ff-08e0-4830-a4c2-b9a074f2cac7/86304142693.pdfIn PDF document text
    • https://s3.amazonaws.com/fosagoba/94725006109.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d324.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD324 5616 bytes
SHA-256: da25ae326d7ef79ca9d00d0a854b9ed779b7b7e85cb300e7181e19a265b7899b
font_01_sfnt_off0000e64e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE64E 10684 bytes
SHA-256: de933927b23dc753b047fa6910b03afa333f33e4d8e9895c810af1be3af22feb