Malicious PDF — malware analysis report

Static analysis result for SHA-256 47338a68f301e74e…

MALICIOUS

PDF

76.9 KB Created: 2020-11-10 05:04:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 4e1f341765b51368ce276fb433675646 SHA-1: 15ea9b0bbfc3bf0de2a891c22d5b9f9497e6d203 SHA-256: 47338a68f301e74edb82bc9138eafdccb1d6b6b5fe213837b5803b6a020b507d
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://gettraff.ru/123?keyword=noodletools+express+apa'. This, combined with a high-confidence ML classifier flagging the PDF as malicious and ClamAV detection, strongly indicates a malicious intent. The document body, though heavily obfuscated, likely contains the malicious link or related lures. The presence of a password archive lure heuristic suggests the PDF may be a precursor to delivering a password-protected malicious archive.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?keyword=noodletools+express+apa In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/sigobija/the_sims_3_unlimited_money_apk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/264b9899-24ce-422f-b0de-f06c7351df69/5641293839.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/547f0eac-33a7-469a-921d-5a2fe448f401/zimudo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ea3073de-2f83-4846-b6b0-3a4b00aa4619/navy_jrotc_uniform_female.pdfIn PDF document text
    • https://s3.amazonaws.com/pazovugal/happy_new_year_2020_animated_images_hd.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d665e9d5-857e-4b14-99c0-1d77dace5eb1/10534327774.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ba264c78-a693-4f02-b85e-cf76d6c98a87/66211775925.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/47ac5599-dd0b-4c4a-85ec-50e32b0729cb/39192675394.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0e714a32-8c17-48f6-b0d2-1e8e77a119b4/bafaturolupubafurisi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/faa4ce7f-4c95-402d-a323-b1c49f732897/mebotuj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d7d3581a-2a30-46bc-9c01-8e26b6da5435/68718400523.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/53c74434-050f-4a80-bb44-96e6bd512139/62810595886.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/53eaf34f-35c4-4455-9360-df3c3da1a2a4/mit_application_phd.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b807.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB807 4624 bytes
SHA-256: 06ac76080e97baf1c428155629f31190fa6a19ff6625d7deaf92103f10362169
font_01_sfnt_off0000c7d2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC7D2 6416 bytes
SHA-256: f86f10004a7582689f54608bc11fa9378b74683e082c2669c0b507323d906d8d
font_02_sfnt_off0000de46.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE46 10600 bytes
SHA-256: 0d74afb2da052f056c69ee98031b9be96a0c7d5002b0a443ffa8450b8ade8272
font_03_sfnt_off00010289.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10289 16344 bytes
SHA-256: 727c720c99aefa4bb002e248790b8ef6e90d1ae262ab3cd6280de1147a43390e
font_04_sfnt_off00011822.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11822 4324 bytes
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2