Malicious PDF — malware analysis report

Static analysis result for SHA-256 852e0e74be9127d5…

MALICIOUS

PDF

86.7 KB Created: 2020-12-22 10:04:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 83bb17932d9f2972656b6f8d5d406fad SHA-1: 33198b74b2e7a9d41f1e2fe7bbb9c20648b39fa3 SHA-256: 852e0e74be9127d559e4154319783f1efe7c68d7cfc39a2fbf4bc03168595543
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ggtraff.ru'. This indicates the document's primary purpose is to lure the user to a potentially harmful external site. The ML classifier also strongly flagged this PDF as malicious, supporting the assessment of a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/123?utm_term=intrinsic+fermi+energy+equation In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/9edb59be-973e-4525-ab4f-84a1d378a253/jasoxilomujuravivutuvez.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0ed4f1452f90b7fe57e24/t/5fc0f9d5e18c5c478e1ec76e/1606482389694/fire_emblem_gamecube_for_sale.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f6b147dc-468f-447f-80e6-48b14a467b00/79242663022.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7d1b858f-4e31-4e8c-b884-6a85f87eb27e/king_pellet_stove_5500m_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/10873e62-b889-4b3d-b75c-8c2105c361bc/33438133347.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a2539fec-7dbb-490e-a9f6-ff70a7728c65/roblox_twinkle_twinkle_little_star_piano_sheet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/57bc1dac-a532-4b3b-b56f-3c2c3b338eb4/wutekibagunu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/88390e57-9a09-4eae-898b-de536a32f41b/50197591565.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/92e88150-7e9b-427d-9f0e-5c260e995a79/26282232922.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b75eebcc-fdc8-41b2-b976-270a459f2b9e/83564503573.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d9074b9b-3f45-44b5-858e-efe0f8d95a50/bdo_controller_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ac978cb-6ff9-413a-b5df-5306133c9f9b/81752996744.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/30b9a6d3-246d-4b46-938f-689b144954c9/2018_suzuki_gsxr_600_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1e96fbb3-5184-42e4-93c3-79feeab3551c/bavimiwegeji.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4bb3d673-38b4-4e29-aa10-6a5a531f6e2f/pexerejefuzazi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6bc1b826-0272-47bb-a4a6-575db9ab98c9/zubivixuwatevuwuliripoxo.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc5181abe9b69395125e644/t/5fc947daeff5963d37c98952/1607026651947/tirazu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd0c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD0C 5332 bytes
SHA-256: b471fb3131de41cf35be9dfe1f5fb8002a4555e85472534da91e27a4369bee7c
font_01_sfnt_off00010f1e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10F1E 12056 bytes
SHA-256: 5c31e0ea54387ae57234e5ced17fd1b2736ca5e3af5d624f70c6a8ba93f90cb0
font_02_sfnt_off0001387c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1387C 16116 bytes
SHA-256: d53d347cea387c54c087b2cd85ea94373ed5f2f525a48ba1569850c62da8c160