Malicious PDF — malware analysis report

Static analysis result for SHA-256 52515499d8e935b9…

MALICIOUS

PDF

47.6 KB Created: 2020-11-01 18:17:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 8be00320740276c731c4d8dc3ce4121c SHA-1: b2a81d1e8087366e10bdc87f89d8b24d69f10bb6 SHA-256: 52515499d8e935b99024ed76f93b12338e05eef0617ec7d70585eb3357b043b4
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it's a malicious redirector, specifically designed to lure users with a 'study guide' keyword. The embedded URL, https://ggtraff.ru/123?keyword=amendments+study+guide, is flagged as malicious. Although no scripts were explicitly extracted, the PDF structure and redirector link strongly suggest an attempt to deliver a malicious payload or phish credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/123?keyword=amendments+study+guide In PDF document text
    • https://cdn-cms.f-static.net/uploads/4368750/normal_5f883bd420cad.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369629/normal_5f8cb2345b4a6.pdfIn PDF document text
    • https://sijevunima.weebly.com/uploads/1/3/1/8/131859613/jujapatuzevu.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380876/normal_5f8cc2a99d943.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379032/normal_5f9172bd85321.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372963/normal_5f99ca2e4d01e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370062/normal_5f9e05cc66f6e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409602/normal_5f9480f9833bd.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0463/3070/8129/files/ender_in_exile_epub.pdfIn PDF document text
    • https://s3.amazonaws.com/sugaguxagu/75540221013.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0492/4119/4652/files/pipunovowijisarugagore.pdfIn PDF document text
    • https://s3.amazonaws.com/sedimeraxufi/active_voice_and_passive_voice_question.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0440/1653/3654/files/xivekogadoposupakimuve.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0428/6706/4991/files/warship_craft_cheats_2017.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d6a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7D6A 4896 bytes
SHA-256: 916749f1de957dc24d01cee76dcf6a4d047715b86d5b4c4cb93b3b5cd1dbca76
font_01_sfnt_off00008e11.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8E11 10372 bytes
SHA-256: c991eb0b8255968a1c8bd8ef871fa4f0a2caa2b8b4c9eb3b7448ab54fa503e12