Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a6636f1ca42a2e9…

MALICIOUS

PDF

65.9 KB Created: 2020-11-29 14:33:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 79406310235c074f96ce0aa41ccd4bbc SHA-1: bd50380ce563014000bd93a441a5ca3dd300857d SHA-256: 6a6636f1ca42a2e90539bf3b7a2b1649cea4d73048158f706eeea9bd2cc715ab
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link to a known malicious redirector, traffmen.ru, which is disguised as a product manual. This strongly suggests a phishing or malware distribution attempt. While no scripts were directly extracted, the PDF structure and the malicious link indicate a high likelihood of malicious intent, possibly involving embedded JavaScript to facilitate the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/strik?utm_term=contour+next+meter+manual
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f651f9f3-77bb-4e07-a072-169b20daf80c/33140871529.pdf
    • https://s3.amazonaws.com/sefiwegegagu/zubuzamu.pdf
    • https://s3.amazonaws.com/fekaduvopigab/jugevojaxasavulo.pdf
    • https://s3.amazonaws.com/kokesatodixon/china_visa_application_form_delhi.pdf
    • https://s3.amazonaws.com/wajufifenoxuj/fededoxinovejiw.pdf
    • https://s3.amazonaws.com/xezujuxoz/tamilrockers_tamil_dubbed_movies_2019.pdf
    • https://s3.amazonaws.com/jevelel/logorave.pdf
    • https://s3.amazonaws.com/gitipelut/xowafolufowivil.pdf
    • https://s3.amazonaws.com/tuxenipup/cholestyramine_dosage_forms.pdf
    • https://uploads.strikinglycdn.com/files/2afcbf40-4629-4f6c-a6d0-b6e69ff6d4ac/94377858952.pdf
    • https://uploads.strikinglycdn.com/files/8a799ffe-02b8-4910-b956-27a8100d402e/nagasigux.pdf
    • https://uploads.strikinglycdn.com/files/cf937562-3bc8-4081-96c6-bdd6d1350543/tawaxupuzavutexopugulivo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c363.bin
90f6b912226a383716753aee4fb0a4e39dd5865efcc1c9989b5967d5ec30a6a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC363 4628 bytes
font_01_sfnt_off0000d300.bin
55730893b45a29e9e5f1c5ee0aa525e2e2a411c2d1ef6aff7568f731634cbb4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD300 11428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.