Malicious PDF — malware analysis report

Static analysis result for SHA-256 86d2bcd2bd615580…

MALICIOUS

PDF

62.1 KB Created: 2020-12-04 12:33:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 515e865f5e3f00c087326685a4e2108b SHA-1: 63f00ea9ec0416bf1f125f8e5e90f08ffc3f5ff6 SHA-256: 86d2bcd2bd615580ae41b1adb5c43308c3f7ab39c5ee4272cc7492f898862dc9
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains a link to a known malicious redirector, traffmen.ru. Heuristics indicate it's a callback phishing lure, suggesting the document prompts the user to call a phone number related to billing or refunds. While no scripts were extracted, the PDF structure and malicious link strongly suggest a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/aws?utm_term=arafat+ft+naza
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static1.squarespace.com/static/5fc2d6f9ff13940aa24c3a4c/t/5fc42aae173fb5383b26eab6/1606691504073/37070682570.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf57733570fb44d1f9b97d/1606375284523/world_of_final_fantasy_gameplay_hours.pdf
    • https://s3.amazonaws.com/datarofapakil/87732354185.pdf
    • https://s3.amazonaws.com/kovezodepugov/84123125543.pdf
    • https://uploads.strikinglycdn.com/files/085ba8b4-f62f-462f-885d-9d78466b6912/zikasimizipudu.pdf
    • https://s3.amazonaws.com/wukevirenesu/famepabixe.pdf
    • https://s3.amazonaws.com/xeroguru/annabelle_2_hd_movie_in_tamil.pdf
    • https://static1.squarespace.com/static/5fc5a4096b97992eb57be95c/t/5fc8848292e74531f3ce0f96/1606976642204/logo_quiz_answers_level_60.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbd3110e1f2823a12068600/1606234388992/witcher_3_combat_guide_ps4.pdf
    • https://static1.squarespace.com/static/5fc58d7ddf132613bbdd2249/t/5fc729ce5060c93fcd782dae/1606887892830/32818644668.pdf
    • https://s3.amazonaws.com/niporofez/air_force_y_group_previous_year_question_paper.pdf
    • https://static1.squarespace.com/static/5fc376e18139af0376556c03/t/5fc532587acac6192a69adae/1606759001798/21173641290.pdf
    • https://static1.squarespace.com/static/5fc0ec955687f52b6b8145c1/t/5fc1d3f1cb3e0f5771932c28/1606538226598/29673432558.pdf
    • https://static1.squarespace.com/static/5fc2fc780b6b03258f43150d/t/5fc44230e6d49a06bb19d615/1606697521337/belaire_high_school_in_baton_rouge.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbd08bf1491241adc4733c4/1606224063349/7574920874.pdf
    • https://s3.amazonaws.com/bupijila/vcruntime140._dll_wamp_server.pdf
    • https://uploads.strikinglycdn.com/files/6b773a8c-eacd-4a06-9ff3-a8eeb6bd941a/junenav.pdf
    • https://static1.squarespace.com/static/5fc681f46609fd0ee7b82cec/t/5fc99352cf87d0256fe57b8b/1607045972402/jabomujopewibevopige.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b719.bin
48bce8f3016411f5d70be5041acb86c0bec9d47fda6f04ac9dd242f549810ae3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB719 4592 bytes
font_01_sfnt_off0000c6cb.bin
65c19a74a3a554a27636a52a82a3df590dce4764b19808ee9cc18573391e2d99		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC6CB 11268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.