Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a483a50c059f237…

MALICIOUS

PDF

182.3 KB Created: 2020-12-31 18:53:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: acd0a01769a16b21b835b3680cf04cb1 SHA-1: ef009a262635ad6f1ae9c1e9e70a60f9cb2a78e7 SHA-256: 7a483a50c059f2371db35156af2485d629d0d835af1a95cdf81f96d4d1474d5f
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'traffmen.ru'. This URL is presented in a way that suggests a lure, potentially related to 'Pokemon go raid map apk' as indicated by the URL parameters. The ML classifier also strongly flagged this PDF as malicious. While no scripts were extracted, the embedded malicious URL is the primary indicator of compromise and attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9095

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/123?utm_term=pokemon+go+raid+map+apk In PDF document text
    • https://rogejizerabori.weebly.com/uploads/1/3/4/7/134763318/3545148.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4497685/normal_5fd61e8008a2a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393790/normal_5f902d72260d5.pdfIn PDF document text
    • https://xikagarema.weebly.com/uploads/1/3/4/4/134489929/1428d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4495262/normal_5fc6f7ad55a0e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4406229/normal_5fbae5bb09cde.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4497093/normal_5fda5f5abb185.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4446280/normal_5fdebc7550d71.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/16670c39-cfc0-4f96-a189-468144ee9efe/vt_pbs_schedules_tv_schedules.pdfIn PDF document text
    • https://s3.amazonaws.com/xugigabitulu/see_cookies_in_chrome_android.pdfIn PDF document text
    • https://s3.amazonaws.com/zobuwubedak/74804143172.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00023747.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23747 6440 bytes
SHA-256: 629123bfde0685c5f69bbdd27ec008bde0224d5c30af1dabb990f6ee33ea778e
font_01_sfnt_off0002470a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2470A 8356 bytes
SHA-256: 5e8a38d7a59c64f449a66eed537a919e7fe5a54489ceab0427bef31f80bc9fd8
font_02_sfnt_off00026359.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26359 4844 bytes
SHA-256: 0a116244575dc782700c34aa2e34d63c5c162edf02cb2390c33defa9d0d49ca6
font_03_sfnt_off0002739e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2739E 2248 bytes
SHA-256: 5d139c86ab3b70516fe58b63c172331e16661c0cb5e963f50f3cdfad3c8631de
font_04_sfnt_off00027df3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27DF3 12552 bytes
SHA-256: 70de9aba9948de19adf2f2c95db5890b1f57ab3c21856e0899c9c6b6c8e5108e
font_05_sfnt_off0002a770.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2A770 16036 bytes
SHA-256: 354dce64f07f3d7acdf6a04edf763950ffbfec4edcbb4bfe17b65a83544077bb
font_06_sfnt_off0002bbd8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2BBD8 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3