Malicious PDF — malware analysis report

Static analysis result for SHA-256 2fe7298aeaa95f85…

MALICIOUS

PDF

54.4 KB Created: 2020-11-01 12:16:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e49d5deafb0f6486cc4cebb86cd135bb SHA-1: 56e62074dd0984bee8cd53624b28ec0b9b3f63a2 SHA-256: 2fe7298aeaa95f85aa9fdc18255cae8b82c13aaaf53b3f8fedd1dbc3eafc2474
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating a malicious redirector link to 'https://ggtraff.ru/123?keyword=calendario+escolar+2019+y+2020+para+imprimir'. The ML classifier also strongly flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of a malicious URL within the document body suggests an attempt to lure the user to a compromised site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/123?keyword=calendario+escolar+2019+y+2020+para+imprimir
    • https://vodexekuteb.weebly.com/uploads/1/3/0/7/130776001/ripotot.pdf
    • https://zejikato.weebly.com/uploads/1/3/3/9/133997407/fajuvat.pdf
    • https://cdn-cms.f-static.net/uploads/4393772/normal_5f9ab65eea27d.pdf
    • https://cdn-cms.f-static.net/uploads/4368742/normal_5f8b2e35027ad.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5b991ac9-0af9-4cdd-aa02-8495684acec9/pizepubi.pdf
    • https://s3.amazonaws.com/fasanag/30352307907.pdf
    • https://s3.amazonaws.com/mexavofezoxi/95010888681.pdf
    • https://cdn.shopify.com/s/files/1/0432/4442/1282/files/julareziwerakifutexevo.pdf
    • https://s3.amazonaws.com/vutame/19512642137.pdf
    • https://cdn.shopify.com/s/files/1/0502/1417/4900/files/german_shepherd_stuffed_animal_near_me.pdf
    • https://cdn.shopify.com/s/files/1/0431/1885/4306/files/51482450312.pdf
    • https://s3.amazonaws.com/rebesudanolo/6798133652.pdf
    • https://uploads.strikinglycdn.com/files/ab81a958-52fb-4f3e-8091-33a3a9a4543a/jetag.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009233.bin
7031e0c6ed3d6943f9963beda303a39e8746a75c5724cf4836732cfb2372614a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9233 5708 bytes
font_01_sfnt_off0000a589.bin
98f00fd12935ab5332ca9f92d55a8e646712abb69888385bb4f1822c67cff54b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA589 11480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.