Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c275877413dd08d…

MALICIOUS

PDF

46.3 KB Created: 2020-11-05 20:38:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 347305f7c0e08a6e3a9f010081888ba7 SHA-1: e925047d41e381abf71db608dd3f130f6ab61bca SHA-256: 6c275877413dd08d1f1e1c3092064e7eb964b390e7590dfaf78e779decc37929
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, https://gettraff.ru/aws?keyword=spider+solitaire+unblocked, disguised as a game. The ML classifier also strongly flagged this PDF as malicious. While no scripts were explicitly extracted, the PDF structure and embedded URL indicate a malicious intent to redirect the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=spider+solitaire+unblocked
    • https://cdn-cms.f-static.net/uploads/4366346/normal_5f876638b950b.pdf
    • https://cdn-cms.f-static.net/uploads/4375203/normal_5fa3dc5fb54e1.pdf
    • https://cdn-cms.f-static.net/uploads/4370073/normal_5f915819ea59f.pdf
    • https://cdn-cms.f-static.net/uploads/4418574/normal_5f965ddaad5d0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zetare/1139669416.pdf
    • https://s3.amazonaws.com/subud/18038642967.pdf
    • https://uploads.strikinglycdn.com/files/cf044122-1893-48d3-b1e8-b5b78dbed58b/72433847707.pdf
    • https://s3.amazonaws.com/tibanepoxilibud/molibimubu.pdf
    • https://uploads.strikinglycdn.com/files/269d7276-a237-455e-95f2-703e19cc3ded/dungeons_dragons_starter_set.pdf
    • https://uploads.strikinglycdn.com/files/c61b3618-beda-465d-9840-b011337d45e7/dr_joseph_bellizzi.pdf
    • https://s3.amazonaws.com/posufij/resident_evil_4_chimera_pieces.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076f0.bin
f898a53b14ef26899d1d49e4ae599da1485ed11e63b79fe685101ff4e5db6157		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76F0 5372 bytes
font_01_sfnt_off0000893d.bin
1927a8ca630637695b370950c3e48a5a353858340e93427b024e396a1ce01b08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x893D 10460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.