Malicious PDF — malware analysis report

Static analysis result for SHA-256 96380f14d1b2d8b3…

MALICIOUS

PDF

64.6 KB Created: 2020-12-21 08:51:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c20a62d6457b74783743165809b3f561 SHA-1: 946a8135e1baa7ffbb4a05b7484d4649f9cbbe08 SHA-256: 96380f14d1b2d8b3b9486c70f5346f3ade4c5881c7328d3f441b4afb1b9f6a64
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ggtraff.ru'. This indicates the document's primary purpose is to lure users to a potentially harmful website. While no scripts were extracted, the ML classifier and ClamAV detection further support its malicious nature, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9486

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?utm_term=tree+team+mod+apk+0.+9
    • https://static.s123-cdn-static.com/uploads/4476569/normal_5fc833a72f56b.pdf
    • https://mupipuko.weebly.com/uploads/1/3/4/3/134370635/9960fb.pdf
    • https://cdn-cms.f-static.net/uploads/4476765/normal_5fbfb1ee51130.pdf
    • https://static.s123-cdn-static.com/uploads/4377407/normal_5fca7e61191f5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/rezugekolaba/rforme_des_caisses_de_retraite_au_maroc.pdf
    • https://uploads.strikinglycdn.com/files/5be5adb6-0032-4c26-84d2-b05f1a69561e/guia_de_los_movimientos_de_musculacion_7_edicion_descargar.pdf
    • https://s3.amazonaws.com/wupagivoz/lisexojatoboforikituro.pdf
    • https://s3.amazonaws.com/mokixetat/77429326327.pdf
    • https://uploads.strikinglycdn.com/files/95edf98a-aa75-44a1-aad0-ca805e82b5e0/larunujafekapozanevo.pdf
    • https://uploads.strikinglycdn.com/files/96cb6196-7895-43cf-9bda-cccfab97e6bf/gubazurebibafezi.pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000e48d.bin
4c6dbb854d489172322352ef88b2d33922154fc3c9f582445d95cf5f6671b72b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE48D 18152 bytes
font_00_sfnt_off0000ad6c.bin
a6d5a6152a1a21e13fd724cd7ae33f6fe02ec166a0817ea32190c55580a351af		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAD6C 4872 bytes
font_01_sfnt_off0000be00.bin
229dc78377c94ab55236c67b816d64377177aaf3db5fa146aa09af9deab9cdec		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE00 11276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.