Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d5279708bb4208d…

MALICIOUS

PDF

71.8 KB Created: 2020-11-09 23:17:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: f164385f4c514dfb4c641cd9957aa5c4 SHA-1: d60d1bb5dbbe45180bc8eb8a3eeac72476be12ab SHA-256: 8d5279708bb4208d4f2d688e5686fd04985e348e9e8bcc75f32ce61bb2e78d4c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://traffine.ru/123?keyword=humphreys+county+library'. This URL is also listed as an embedded URL within the document. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or to download a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/123?keyword=humphreys+county+library In PDF document text
    • https://cdn-cms.f-static.net/uploads/4376625/normal_5f8d563404719.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369330/normal_5f94566b3d8b2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409102/normal_5f9a42fe79536.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384045/normal_5f9b6be061339.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/46e0bff2-f341-4d63-8e72-7ba39dae9fd3/lotowutonisusalal.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/48873d39-b180-4401-bc3c-681cb993bdf2/the_only_astrology_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e8349a83-7c84-4781-8397-2b497e56b159/revawofet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a4820424-f1b5-42aa-a3ec-d1b1546179e4/7599110898.pdfIn PDF document text
    • https://s3.amazonaws.com/xanebavifamopez/magazine_design_templates.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f13bd4ed-a8f7-473c-baef-69dada9d515b/jozebagubigelet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/06c4f751-6e8c-49b7-8ca2-d65adfc907c1/jegugunorixomunovowikod.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/82dff388-e69f-42bd-a3e2-335de3f0b9a8/city_of_fallen_angels_audiobook.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1405bfb8-3971-4ddc-8588-1ddf90170280/17952992114.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b59c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB59C 5256 bytes
SHA-256: 79b7a2300107d3c603f5b8a714c48df47a3f33bda336154674827e1ede7f1225
font_01_sfnt_off0000c74e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC74E 12412 bytes
SHA-256: b018c586d5ebb0772098a3b4c3d9fa1e259447b6bba1d1f2feef4c11092adf80
font_02_sfnt_off0000ef00.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF00 16144 bytes
SHA-256: 18f56b7fae04e07bc119a468ad323bdda099da77b0772854d1c47cc1f39b9f3b
font_03_sfnt_off00010400.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10400 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3

Open this report in the interactive analyzer, or submit your own file for analysis.