Malicious PDF — malware analysis report

Static analysis result for SHA-256 406959f3dcba7a84…

MALICIOUS

PDF

102.6 KB Created: 2020-11-23 17:04:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: 51bea0f691fb0498506c3b0e94455ea6 SHA-1: 638dec175332ed0483ce9986dd6366cf02637355 SHA-256: 406959f3dcba7a84e40178bdbb74d95ae32eddc1f9117d2837b6b74388e3273c
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file is identified as malicious by multiple heuristics and an ML classifier, specifically flagged as a phishing and redirector link. The embedded URL `https://traffking.ru/strik?utm_term=satta+king+gali+disawar+ghaziabad+ki` points to known malicious infrastructure. The heuristic 'SE_CALLBACK_LURE' indicates the document likely contains a callback phishing or tech-support scam pretext, urging the user to contact a fraudulent number. While no scripts were explicitly extracted, the PDF structure and malicious links suggest it's designed to exploit users, potentially through embedded JavaScript or by redirecting to malicious sites that host exploits.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/strik?utm_term=satta+king+gali+disawar+ghaziabad+ki In PDF document text
    • https://ximewenidurap.weebly.com/uploads/1/3/4/6/134651426/jowal.pdfIn PDF document text
    • https://sepenunaxob.weebly.com/uploads/1/3/0/7/130776074/09d169b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403531/normal_5fa9938f3f1fb.pdfIn PDF document text
    • https://xidogofu.weebly.com/uploads/1/3/4/3/134307260/4d964.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407316/normal_5f9250f85e1d7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412896/normal_5fa34da7d093f.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://s3.amazonaws.com/xezujuxoz/98774758810.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c19adf68-ba10-4796-894d-d4ad7fde8594/muzavukufudemixubokodu.pdfIn PDF document text
    • https://s3.amazonaws.com/bisute/toshiba_58l7300u_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c5e6731a-7338-4234-8a7e-20ca62449b6e/tawupazedufakad.pdfIn PDF document text
    • https://s3.amazonaws.com/vexeliku/linux_boot_process_in_detail.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00013aad.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13AAD 26736 bytes
SHA-256: 67e4dd580c9ec7ed9f982eff59b514672443d5b71a26abadf56b3bfc579fdeff
font_00_sfnt_off0000e4a4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE4A4 6384 bytes
SHA-256: d84f0b41e921a5fbb59c6000c45deae92b494ed9e0760429eb35bde61d0b8459
font_01_sfnt_off0000f45a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF45A 5536 bytes
SHA-256: 07a6008e37c23a574e3d85f7e21ada74c7e9923e80c3c1c5f37526377f439cc1
font_02_sfnt_off00010737.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10737 3228 bytes
SHA-256: e66d2ce60383fbddc34a71adc66fb0209937fcba4303d7e12ad9aff00b5c4d05
font_03_sfnt_off0001147a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1147A 11164 bytes
SHA-256: ead9247258145cbb17fa2614cef3da32acc34cec474912dcec353c00ec273086
font_05_sfnt_off00016b34.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16B34 9756 bytes
SHA-256: 6216acdc64aa2a0ee190a3491c42a084ccb92ee68a61e919e681a53c448e0834