Malicious PDF — malware analysis report

Static analysis result for SHA-256 90c50adb0afd54e1…

MALICIOUS

PDF

69.4 KB Created: 2020-12-22 10:41:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07
MD5: e2a8455a65630e8f685d01ff9d8497e5 SHA-1: 8af1bf1065536330a5dba78e5d33080bb71ef5c2 SHA-256: 90c50adb0afd54e175992c227510bf5e9d0918a1c2351568b77afc4d57090963
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ggtraff.ru/strik?utm_term=bubble+tea+house'. This URL is the primary indicator of malicious intent, likely serving as a lure for phishing or to download further malicious content. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?utm_term=bubble+tea+house In PDF document text
    • https://cdn-cms.f-static.net/uploads/4412151/normal_5fc06e65b96da.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4454575/normal_5fb0113a53553.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489853/normal_5fd3419a9b2f6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380680/normal_5f8d68b98d866.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4449793/normal_5fc8bb63cc132.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4477863/normal_5fdd9d471c6ba.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a956898-9ce1-4498-8b1c-d6a5d85a0025/sajegubon.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8de3b53a-e25f-4515-b71a-d2b128f171c4/17963013231.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/596c1e5a-17c7-4511-b441-37e301938950/19959617630.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc59a22405d5340f349ab9c/t/5fc6d67c1d106d256bb09cae/1606866556518/pocket_door_frame_rough_opening.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9adfaf0d-6c45-45a3-b474-2a45ca80bf54/boucheron_pour_homme_basenotes.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc6d632c39fde0238a5f002/t/5fd03165ef76c20f2d40411f/1607479656662/rainforest_sleep_sounds_varozvi.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf57b8e6d49a06bb88f845/1606375362955/frankie_valli_daughter_song.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc52342e2fce462bca75e82/t/5fc9dd91ee6dcf7e36349fea/1607064979377/21278055435.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01916e2b-020e-463d-a0bf-0a972a6b5a9d/lezuredazebovomawopu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d43a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD43A 4864 bytes
SHA-256: 0bbf5f7b3addd1dd2a9fb48458feee818eb651a8c11ad1eca5851201d6c31421
font_01_sfnt_off0000e4c0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE4C0 10796 bytes
SHA-256: d65750023273856a4716e6e8857306e26b9cf48525ef22cd1ca0fe2cad19a27a