Malicious PDF — malware analysis report

Static analysis result for SHA-256 2dfe6a9809bd3498…

MALICIOUS

PDF

66.3 KB Created: 2020-11-25 00:28:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f0e3bafac0707c7ca2f63d5deb88ede0 SHA-1: 14096eb04f2cc490a12e1b0a23078cf4262d22d8 SHA-256: 2dfe6a9809bd349818b2844a59f7e1aa9c2b5940488d62d63e8657ed9a94b922
254 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, and contains numerous links to external PDFs, suggesting a link farm or redirection attempt. The 'ClickFix' heuristic indicates the document likely instructs the user to execute commands, a common tactic for social engineering attacks to bypass security measures. The embedded URL 'https://ggtraff.ru/strik?utm_term=more+swords+mod+wiki' is identified as a malicious redirector, further supporting the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?utm_term=more+swords+mod+wiki
    • https://cdn-cms.f-static.net/uploads/4390328/normal_5f9f16e157050.pdf
    • https://cdn-cms.f-static.net/uploads/4491159/normal_5faf92bbba632.pdf
    • https://cdn-cms.f-static.net/uploads/4501356/normal_5fb43a81785cf.pdf
    • https://cdn-cms.f-static.net/uploads/4366369/normal_5f871c6041b1c.pdf
    • https://repafajekojila.weebly.com/uploads/1/3/4/3/134305679/mopisa-ravofupegubad.pdf
    • https://cdn-cms.f-static.net/uploads/4401716/normal_5f974af2b267d.pdf
    • https://cdn-cms.f-static.net/uploads/4368997/normal_5f9bc8e0e75ba.pdf
    • https://cdn-cms.f-static.net/uploads/4367279/normal_5f8905e1f0dd6.pdf
    • https://cdn-cms.f-static.net/uploads/4369152/normal_5f8f3ce89d28b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vavale/parallel_quest_49_xenoverse_2_guide_dlc_6.pdf
    • https://s3.amazonaws.com/lopadivupudexa/mibutidemutizemizisajeses.pdf
    • https://uploads.strikinglycdn.com/files/6e2393e8-69a2-43fd-b121-b62cfa4ef72d/estructura_de_lewis_so3.pdf
    • https://uploads.strikinglycdn.com/files/105194c8-6663-41c8-b06f-53cd7406a917/san_pietro_in_montorio_horario.pdf
    • https://uploads.strikinglycdn.com/files/c3123cf6-de91-474f-9cf1-a23619bf5a31/70292210730.pdf
    • https://uploads.strikinglycdn.com/files/11fc4836-a5f0-4d00-a0f6-bf53ce11162e/47323377011.pdf
    • https://uploads.strikinglycdn.com/files/2e9a8540-6e9c-4a8c-84ca-86a8773f1e11/modof.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b2c1.bin
4aab3eee2165d18a246a32d800133f60a23f4927cc134f94bcf10849067f4b27		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB2C1 4892 bytes
font_01_sfnt_off0000c36d.bin
022a6b36af7cb89a3e0e7f368a2fb25e431d5b254863087908b168d0b0a10bdf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC36D 10132 bytes
font_02_sfnt_off0000e638.bin
9b78b915eb75ef0aea6965a6113565ca1bcac7735c766488ce9f12ff332a71b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE638 16064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.