Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a0fb646d667f217…

MALICIOUS

PDF

71.2 KB Created: 2020-12-28 12:53:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 146e0a0ce004cf7de1bbe0c592924ce9 SHA-1: 774aa45a17b2e3f68e42648644d261e5d27a6441 SHA-256: 8a0fb646d667f217ca43dfe3991793e650e97bca35e7db6bdf407a339b034ed5
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, indicating an attempt to direct the user to a harmful site. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded links are indicative of a phishing or malware distribution lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/strik?utm_term=target+archery+bows+for+sale
    • https://cdn.sqhk.co/vetesomiw/Lieg4hf/jajamapakamegun.pdf
    • https://cdn.sqhk.co/wuvotalek/NG5hbGl/26536181457.pdf
    • https://cdn.sqhk.co/baxemazisod/hvaDgc0/dukenuz.pdf
    • https://cdn-cms.f-static.net/uploads/4369328/normal_5f992e5e32d0f.pdf
    • https://cdn-cms.f-static.net/uploads/4405208/normal_5fa37d7b7f820.pdf
    • https://cdn-cms.f-static.net/uploads/4410953/normal_5f9f0589a3cc8.pdf
    • https://cdn-cms.f-static.net/uploads/4464303/normal_5fe84d16f0691.pdf
    • https://static.s123-cdn-static.com/uploads/4391315/normal_5fc90abf87187.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/76503c7f-6b54-424b-97d0-737caeae7692/vipimigimavu.pdf
    • https://uploads.strikinglycdn.com/files/7ea2de75-8505-4a93-8864-a9727c10e868/hideaway_bed_rail.pdf
    • https://s3.amazonaws.com/xedewofuretujo/maradona_malayalam_movie_english_subtitles.pdf
    • https://s3.amazonaws.com/rogugagatuf/34913650316.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d211.bin
17071dfcf3ab4125b45c1485958753aa2c54ed952d0282fc6d20b3a5339ee6c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD211 5424 bytes
font_01_sfnt_off0000e497.bin
9eecd652a1bfc43bc02e3625969aafa606d03d48789d8908e9194c3ec05c49f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE497 12816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.