Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ad9ed18e0362553…

MALICIOUS

PDF

45.8 KB Created: 2020-11-03 20:34:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bfe17b8a124cfe6876bd4039d33448ad SHA-1: 7eedd2aeb42a654d33d42498478296320fb5f566 SHA-256: 3ad9ed18e0362553edcabcfda923b472ed1d264fd2fc4f8a71e611422d139855
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text suggesting a lure for 'Moana full movie google drive mp4', which is a common tactic for phishing or malware distribution. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=moana+full+movie+google+drive+mp4
    • https://cdn-cms.f-static.net/uploads/4419206/normal_5f9b1d5c0228f.pdf
    • https://cdn-cms.f-static.net/uploads/4383804/normal_5f96ea2a7da3f.pdf
    • https://cdn-cms.f-static.net/uploads/4415543/normal_5f9cedc47bd76.pdf
    • https://xibogunef.weebly.com/uploads/1/3/1/3/131398295/745971.pdf
    • https://leputixoted.weebly.com/uploads/1/3/2/6/132683438/1564446.pdf
    • https://cdn-cms.f-static.net/uploads/4369900/normal_5f9492e60e885.pdf
    • https://cdn-cms.f-static.net/uploads/4424985/normal_5fa0f2cf24390.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/57369c1d-ab47-4181-97b5-7b0445479101/kiss_the_rain_piano_partitura_completa.pdf
    • https://uploads.strikinglycdn.com/files/94f10f4c-dba7-470e-9e5e-6d5690e9c146/36870043227.pdf
    • https://uploads.strikinglycdn.com/files/ab3f3aa9-46b4-4fb6-8dcf-ff15afc0d3f6/1665369626.pdf
    • https://s3.amazonaws.com/foneniz/dafor.pdf
    • https://s3.amazonaws.com/nagev/56603180357.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000073e0.bin
c3a795a3cafd3a5c5106e9ef603c188d74beac0b6d762cace0e81674bc8d498f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73E0 5336 bytes
font_01_sfnt_off00008611.bin
faf335cf388642bd323c7af3bcc58990d6b16008c0fa832e7145b2823e10bc84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8611 10608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.