Malicious PDF — malware analysis report

Static analysis result for SHA-256 94614f021a4f6483…

MALICIOUS

PDF

64.6 KB Created: 2020-12-29 23:34:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64d26bba509e7fc641881c33b239662c SHA-1: 175f553e215e5381fdcd1e61b365cff0df15fa31 SHA-256: 94614f021a4f648334f265d071a6824d4e664bf87467a94c57106efddba74d01
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, and contains a critical heuristic firing for a malicious redirector link. The embedded URL, https://gettraff.ru/123?utm_term=hugh+c+williams+high+school+canton+ny, is likely intended to lead the user to a phishing or malware distribution site. No scripts were extracted, but the presence of a malicious URL strongly suggests a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?utm_term=hugh+c+williams+high+school+canton+ny
    • https://cdn-cms.f-static.net/uploads/4379982/normal_5f9eb6bd6ab61.pdf
    • https://cdn-cms.f-static.net/uploads/4487187/normal_5fad3da7482d2.pdf
    • https://cdn-cms.f-static.net/uploads/4403260/normal_5fa794d0dfde3.pdf
    • https://cdn-cms.f-static.net/uploads/4375095/normal_5fbf3a3ac7c4e.pdf
    • https://cdn-cms.f-static.net/uploads/4387806/normal_5f934be7adb82.pdf
    • https://cdn.sqhk.co/jekuzedu/jeie6K0/wheres_my_droid_cho_iphone.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f321ec68-8748-4c92-b245-3691e22c6c4e/porisobalagu.pdf
    • https://uploads.strikinglycdn.com/files/1903a5c3-22f6-4b92-aaba-3cdbbc1b5dbf/sql_drop_table_column.pdf
    • https://s3.amazonaws.com/vavejijitatofu/money_decimal_notation_worksheets.pdf
    • https://uploads.strikinglycdn.com/files/adc92334-9737-4797-b59e-878e4e83e739/ridizotumupi.pdf
    • https://uploads.strikinglycdn.com/files/541dee6f-0772-4468-a2d7-c22f4c34c44b/11750579700.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c0a1.bin
73a9a1a8ae69dcf1d3a07794af3c5a23e4cef8225a4611d31e177635dc92cd8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC0A1 5272 bytes
font_01_sfnt_off0000d28c.bin
9f96855e9198fcbc975c0ed3e6eba5c6470e12e33cf25d3e593602f39c462a55		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD28C 10432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.