Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b661571bfd2dc14…

MALICIOUS

PDF

185.9 KB Created: 2020-11-10 03:24:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 85e5a128abbec8d58660fde42848ea54 SHA-1: 1e044b572b90abd06f9eeba0c4e6afeec87f1aab SHA-256: 6b661571bfd2dc14b3938ffc0615730b9484973a7eec702e8fad65d42e843a6b
334 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1204.002 Malicious Link

The PDF contains a link to known malicious redirector infrastructure and exhibits multiple social engineering lures, including requests for recovery secrets and instructions to execute commands. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were directly extracted, the document's structure and embedded URLs suggest it's designed to phish for sensitive information or lead the user to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 8

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/123?keyword=make+file+executable+ubuntu
    • https://zegojipoxe.weebly.com/uploads/1/3/1/0/131069766/bb2cac.pdf
    • https://mikodetakono.weebly.com/uploads/1/3/4/4/134497144/suwinufojuj.pdf
    • https://junovolosexev.weebly.com/uploads/1/3/4/4/134467690/rifuxo_luxuraja.pdf
    • https://benoralegofalaw.weebly.com/uploads/1/3/4/5/134581061/1fe4f68af3d0a.pdf
    • https://siropenisawad.weebly.com/uploads/1/3/4/3/134353493/6277846.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/e01f46f7-8057-494b-8cd3-d99089cef177/26989178070.pdf
    • https://uploads.strikinglycdn.com/files/4c3927c3-077c-4fa0-bcb2-7fcc595e13a0/96808845054.pdf
    • https://uploads.strikinglycdn.com/files/661a8fda-ae3e-42e1-8bdc-3a5d9d4809ff/37002658111.pdf
    • https://s3.amazonaws.com/zuxadol/31822204608.pdf
    • https://s3.amazonaws.com/widuxade/fuzijidimomowunokuladu.pdf
    • https://s3.amazonaws.com/mibiwivanetuj/22114342389.pdf
    • https://uploads.strikinglycdn.com/files/08f5f8f2-fb1f-4e64-b000-73c7ddaa19ad/84820069848.pdf
    • https://s3.amazonaws.com/wusigipufuvowix/tipos_de_anemias_microciticas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0002965d.bin
a55c4710f346cc31b9f4712680f670e6a15d78ab47f6e3928d3d5d51e21f3da0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2965D 30092 bytes
font_00_sfnt_off0002565f.bin
5ba7442eb07e9897696cd32b61c66d4642408dce9cc2c4715cef54b75a6fc196		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2565F 4648 bytes
font_01_sfnt_off0002664f.bin
8dd18f45ca39b0a84d13d9092c97dc1e015245f19549534a678b4cf199e5adc7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2664F 15360 bytes
font_03_sfnt_off0002cb16.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CB16 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.