Malicious PDF — malware analysis report

Static analysis result for SHA-256 79883e0dd6c35f55…

MALICIOUS

PDF

51.4 KB Created: 2020-10-31 01:42:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8c809eea1676c161dc96e8ba03b64264 SHA-1: 1d8e2d23e0b39522415b0f52e8cc9880f3164453 SHA-256: 79883e0dd6c35f55ac7a9e72943ceb1f6b4eaa2b65e45b4bdfce9d1ba9cc771f
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://gettraff.ru/123?keyword=ios+keyboard+apk+2020'. The document body, though heavily obfuscated, also contains this URL, suggesting it is the primary lure. The ML classifier also flagged this PDF as malicious. The presence of this link indicates an attempt to redirect the user to a potentially harmful destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?keyword=ios+keyboard+apk+2020
    • https://cdn-cms.f-static.net/uploads/4368953/normal_5f89163c7c9ae.pdf
    • https://cdn-cms.f-static.net/uploads/4374848/normal_5f9beffc4f797.pdf
    • https://cdn-cms.f-static.net/uploads/4392453/normal_5f9abb011d5d2.pdf
    • https://cdn-cms.f-static.net/uploads/4379841/normal_5f9b06a4c71ab.pdf
    • https://cdn-cms.f-static.net/uploads/4379374/normal_5f8d566e6346c.pdf
    • https://cdn-cms.f-static.net/uploads/4365591/normal_5f9c70493ac62.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9d0571a3-222b-4fb5-ad58-3f088f6fd210/sefulozivodap.pdf
    • https://uploads.strikinglycdn.com/files/f60fa163-226f-47b4-9e55-f3f90c242b6b/midudupufip.pdf
    • https://uploads.strikinglycdn.com/files/c3845014-54bb-453c-bde8-b518d0291afb/48292073889.pdf
    • https://uploads.strikinglycdn.com/files/a928177f-fdd9-40e2-ad4a-1522d44a820a/jasifenoxobi.pdf
    • https://uploads.strikinglycdn.com/files/31227407-f077-44cc-9dc8-ca3b18e886eb/pevadefa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000a093.bin
03042f516299aa5ffd2c02dd1e0d2a4ea9615323fe599489fc7432ada83eb4f2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA093 19336 bytes
font_00_sfnt_off0000653d.bin
5a3f4b32add157d83e88d855ce7e98956403c4d4ba711a7d3ac0c62c4e59f7b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x653D 5440 bytes
font_01_sfnt_off000077cb.bin
325dc92e31f7fddaae9c5a9b97c36b0768fc4c8de485f0785961f04d7934fc99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77CB 12120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.