Malicious PDF — malware analysis report

Static analysis result for SHA-256 84c4aa88761b6086…

MALICIOUS

PDF

90.6 KB Created: 2020-11-12 14:05:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 1bb2f9a2f19c1e10d14133a24cb8e052 SHA-1: 70bce71a430e0bc32bad7c2d61c94c9d05233be6 SHA-256: 84c4aa88761b608658cba45afea11ed17921835eeaf63fd9f777dd04707c1b34
222 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic indicating it's a malicious redirector link, pointing to 'ggtraff.ru'. It also exhibits characteristics of a link farm, with numerous external PDF links, suggesting a phishing or scam attempt. The 'SE_INVOICE_LURE' heuristic further supports the idea that the document is designed to trick the user into clicking the malicious link by appearing to be an invoice or payment notification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/123?utm_term=air+guide+accessory+mac-760fd-e In PDF document text
    • https://cdn-cms.f-static.net/uploads/4382407/normal_5f9341c06f309.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369328/normal_5f9ced75c475f.pdfIn PDF document text
    • https://lewelekokoje.weebly.com/uploads/1/3/4/3/134333059/bovisosanebimanarewa.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4391335/normal_5f8e57352dbd0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408983/normal_5f97853b44fad.pdfIn PDF document text
    • https://sofunidus.weebly.com/uploads/1/3/4/5/134593652/7c87d9fd.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/a3d796ec-49b0-42a4-97e8-14c67ddf6383/22238069456.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/51f651a5-62c3-4dda-8cd9-83673a958d5c/44293485262.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/346af5ab-61ca-49db-977c-1d19d055f765/59408688353.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/19ba535d-a515-41e8-986f-eb1ebca7ccfd/jaxigibavinuse.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/296721ea-1a7c-4c66-845e-dd830963b214/nichols_middle_school.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6e2ae615-48b2-47fc-995b-863c6d4fe9b0/debose.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF8D9 3656 bytes
SHA-256: 9bf8e9c8677a4d295eb8f5274d583a2a1d2696571d95de0f685cf587223d447a
font_01_sfnt_off000105ed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x105ED 5808 bytes
SHA-256: fb35ba614985779ab5027c33dc5328cf9e35979c00d1d7940a989fb9ddea9c14
font_02_sfnt_off000119bb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x119BB 15648 bytes
SHA-256: 2d05dbffaf684b80f0fa2a2ce9e857d781023db3e67b6d699ce5b0d27ff17c87
font_03_sfnt_off0001479b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1479B 16100 bytes
SHA-256: d973db94ba2c448c661c26f08d051ac794e7cb4f3c7daa33c2141e8036f071b6