PDF static analysis report

Static analysis result for SHA-256 25a14ff2af0d9dd2…

SUSPICIOUS

PDF

48.7 KB Created: 2020-11-07 10:04:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: 30887eae7be82712ff6d0e09ca6c78d3 SHA-1: b52d14cbe705d2cf476409a0207e81023df4491b SHA-256: 25a14ff2af0d9dd291326dc2cc065ed304c6fa727d7f8bbd999a557840db66d9
36 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to 'trafffi.ru', which is flagged as suspicious. While no scripts were explicitly extracted, the presence of an external URI within a PDF, combined with a high ML classifier score, suggests an attempt to redirect the user to a malicious site. The document body is heavily obfuscated, but the URL itself is clearly visible.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/123?keyword=bmw+style+5+center+caps PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4404514/normal_5fa246ff75c47.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://juxabugu.files.wordpress.com/2020/11/sewetepunik.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/61bed411-5255-40c2-9074-14dcfe0d7ae2/rimomagabizowubu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/868218dc-4df6-4d98-b920-c1a62c63f439/bujiji.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8101fdfa-2440-46e7-975d-0e36d0ef328f/norma_eia_tia_568a.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/96409b20-c1fe-42ac-9896-a57cd2109ef9/werewe.pdfIn PDF document text
    • https://s3.amazonaws.com/lewuli/bopuzikedewajonebiwewuma.pdfIn PDF document text
    • https://zogidadovo.files.wordpress.com/2020/11/gajarewelanuzalujepokez.pdfIn PDF document text
    • https://manetomimexa.files.wordpress.com/2020/11/68091325827.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f375a8f2-a121-47e6-9e52-2fb398278d51/916412627.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/54e0bb2e-336a-4736-b8c0-b5752425cdcc/cdj_2000_nexus_service_manual.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00008d23.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8D23 23628 bytes
SHA-256: f6cf6474b2df76af0bcd2c6e670f194757a8fc43d2a8fe966c5203b4023a1e3e
font_00_sfnt_off000055d0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x55D0 5448 bytes
SHA-256: 8ea94f77d98a7cedbccac6600bc364ac2fda428be7999f39beb60306ca8568fe
font_01_sfnt_off0000685a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x685A 10708 bytes
SHA-256: 29d76f717c041f14d23232c659ed0f66278c801dbc578ca5d9011304a3061a25