Malicious PDF — malware analysis report

Static analysis result for SHA-256 9792dc475dc49fac…

MALICIOUS

PDF

68.0 KB Created: 2021-01-13 08:39:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01735a9a9d65c2a9f161d39b8aefed4c SHA-1: b26837560e46242bbd29015708fbb03929b717d9 SHA-256: 9792dc475dc49fac6d3f93bdfcb1ab5d85147520d30e32e11ec6a8ee9e403c65
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure, specifically 'https://traffmen.ru/123?utm_term=google+drive+joker+%25282019+mp4%2529'. ClamAV also detected the file as 'Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0'. The presence of a download button lure further supports a malicious intent to trick the user into clicking the link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/123?utm_term=google+drive+joker+%25282019+mp4%2529
    • https://cdn-cms.f-static.net/uploads/4448115/normal_5f9f5d0219413.pdf
    • https://static.s123-cdn-static.com/uploads/4379034/normal_5fcee7bc9239b.pdf
    • https://static.s123-cdn-static.com/uploads/4456143/normal_5feb0257eb456.pdf
    • https://site-1173429.mozfiles.com/files/1173429/jobs_vocabulary_exercise.pdf
    • https://static.s123-cdn-static.com/uploads/4387698/normal_5fc91734eb52a.pdf
    • https://site-1192597.mozfiles.com/files/1192597/59271911259.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/galinikagopit/23157065439.pdf
    • https://s3.amazonaws.com/figugipopar/plague_inc_apk_mod_2019.pdf
    • https://s3.amazonaws.com/vutame/child_care_subsidy_payment_forms.pdf
    • https://s3.amazonaws.com/xapijifas/rikoje.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb9c.bin
705ccec34bf45422d1580c3c7ae6a6bcfde8cd672b5d10099dc127be107bd7f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB9C 5848 bytes
font_01_sfnt_off0000df9b.bin
b15aa09ce32e5b7e24811d2deae49626d5d2fbba1b6513597e75908e7c92520b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF9B 10544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.