Malicious PDF — malware analysis report

Static analysis result for SHA-256 4fb474d9b440163e…

MALICIOUS

PDF

69.0 KB Created: 2020-12-11 03:08:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 07c036d83eb8bb29de18c0a643156cf5 SHA-1: 96366f7c0ee9b55d2e68ef641bdbf7c7a502f52e SHA-256: 4fb474d9b440163e3038222f12d05bfd6ff8ab3b9d792b42ef28c1f9d0171258
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link, which is also listed as an embedded URL. The ML classifier and ClamAV also flagged this file as malicious. The embedded URL points to 'traffmen.ru', which is known malicious infrastructure and likely serves as a lure for cracked software, as indicated by the 'utm_term' parameter.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/aws?utm_term=adobe+audition+1.+5++full+crack In PDF document text
    • https://static.s123-cdn-static.com/uploads/4472793/normal_5fce939205f9f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370059/normal_5f8cb3d1ad419.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371258/normal_5f88b05185fea.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407084/normal_5f97f07e63e33.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4460045/normal_5fd1c0c353e80.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/bfcca865-7ea4-4aee-82e1-b7e251924445/navazal.pdfIn PDF document text
    • https://s3.amazonaws.com/pewibim/browsec_vpn_premium.pdfIn PDF document text
    • https://s3.amazonaws.com/fowonaxul/chehra_kya_dekhte_ho_song_bestwap.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc114532bbd74065807882e/t/5fc63b462dd96f5918c10628/1606826823226/microsoft_edge_web_browser_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4c60e9b8-304b-4e98-aa00-f6ac87073424/43060245292.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c5bc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC5BC 5120 bytes
SHA-256: ce89c8de864b2adfd6a39438a807f97102e4d9c41aa9602ac53e17dba8f555fa
font_01_sfnt_off0000d747.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD747 10116 bytes
SHA-256: 678306a6e2c6e6123148e11d522efb1eb39a2c2f0e0e04b7719b59bc89926239
font_02_sfnt_off0000f9b8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF9B8 4324 bytes
SHA-256: 7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71