Malicious PDF — malware analysis report

Static analysis result for SHA-256 88e0a2a8eb766ba8…

MALICIOUS

PDF

66.6 KB Created: 2020-11-10 07:54:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82ac62b055da09758500b905a2d0e028 SHA-1: 9a90b691e408ad9feb7b2c52e3a568cbc7fd8080 SHA-256: 88e0a2a8eb766ba8bf0c85a8e8f9df41f81d5a6242dba03bbccea719cf977015
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link to a known malicious redirector, indicating a phishing attempt. The embedded URL `https://ggtraff.ru/aws?keyword=kenwood+firmware+updates` is likely used to redirect the user to a malicious site. The ML classifier and ClamAV detection further support the malicious nature of this file, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9752

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/aws?keyword=kenwood+firmware+updates
    • https://cdn-cms.f-static.net/uploads/4484126/normal_5faa1c6233575.pdf
    • https://cdn-cms.f-static.net/uploads/4374979/normal_5f9b6454af197.pdf
    • https://cdn-cms.f-static.net/uploads/4387921/normal_5f94b54794b9b.pdf
    • https://cdn-cms.f-static.net/uploads/4375195/normal_5f8a704c2eca5.pdf
    • https://cdn-cms.f-static.net/uploads/4403951/normal_5fa4e2b4637b5.pdf
    • https://cdn-cms.f-static.net/uploads/4383679/normal_5fa1496f2944c.pdf
    • https://cdn-cms.f-static.net/uploads/4389080/normal_5fa1afc31e9f9.pdf
    • https://cdn-cms.f-static.net/uploads/4385004/normal_5f95073800857.pdf
    • https://cdn-cms.f-static.net/uploads/4443292/normal_5fa383c8eff75.pdf
    • https://cdn-cms.f-static.net/uploads/4448096/normal_5fa5aa868ec4d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/40c74fa0-6c16-4956-9cbf-d2030732504a/ripamemuwavuvapobase.pdf
    • https://uploads.strikinglycdn.com/files/6d0ad015-40e4-4b87-9a59-f873cfa540c0/78839678575.pdf
    • https://uploads.strikinglycdn.com/files/f7b7205d-317d-43ab-bdde-c784e87f7b59/49600321767.pdf
    • https://uploads.strikinglycdn.com/files/10626295-b8ec-4afb-a7a3-64d3f0fe411d/guxuxodulagiju.pdf
    • https://uploads.strikinglycdn.com/files/0aac7a0d-3440-492d-ada9-087e401922ad/81737220093.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d756.bin
d8f89487b4bfc573b86022b627056dd391dc6a462b36dedc276c59d46eab48be		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD756 5216 bytes
font_01_sfnt_off0000e914.bin
8a6c9e30ccecfa124b5af469dd5252b6fccafcd0cfc9844c345803fe1f3f5a63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE914 12460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.