Malicious PDF — malware analysis report

Static analysis result for SHA-256 987202a115384a2c…

MALICIOUS

PDF

66.2 KB Created: 2020-12-19 10:52:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-07
MD5: de87968c9ac1c9bcb56bbfc57fe6c775 SHA-1: 58c91774967941b1379f88d2cea8fb015b0e54a3 SHA-256: 987202a115384a2c9df4bab6fb3a6ab3488236481727cc19e5bc6a3980d59be4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://gettraff.ru/aws?utm_term=baahubali+2+movie+songs+naa+songs'. This URL is likely used to lure users to a malicious site. The ML classifier also strongly flagged this PDF as malicious, and ClamAV detected it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?utm_term=baahubali+2+movie+songs+naa+songs In PDF document text
    • https://cdn-cms.f-static.net/uploads/4473047/normal_5fb7eaf10bcbb.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4374851/normal_5fcfe5bc275b1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409092/normal_5fd7b73df0ba2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4391954/normal_5f9656fa4eaf0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414678/normal_5f99bebe2d189.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://static1.squarespace.com/static/5fc5904aff13940aa25f39a7/t/5fc647363f75b16643a9bdf7/1606829878537/paynow_topup_total.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5547d69e-9d4e-43cd-a935-20f1d173f31e/114616071.pdfIn PDF document text
    • https://s3.amazonaws.com/lefemijip/capsa_susun_free.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0bd728787e879896b3111/t/5fc0df46a97599144e17943a/1606475592184/paintshop_pro_x9_vs_2019.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5a25d3f1-e946-48ee-aa8f-a85dc6ce6d78/mount_and_blade_warband_kingdom_of_nords.pdfIn PDF document text
    • https://s3.amazonaws.com/tipakalif/free_anime_websites_english_dubbed.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fdd391cd610986319751208/t/5fdd3da6f11f517dbba95cd6/1608334759092/emergency_response_plan_template_alberta.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0e90c27a199023ab56552/t/5fc16725f8cdb769c6185689/1606510375517/load_runner_user_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1bf9bda0-9322-4944-b957-bc7101833568/46363837869.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9488c823-e5dc-4c36-a178-3c1ad3314ef5/manual_de_instrucciones_de_un_celular.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c4dc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC4DC 5384 bytes
SHA-256: 7b4578acf10f406413c1a506b7582638174457eb678f50fc5f7019acd4aab63d
font_01_sfnt_off0000d712.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD712 11300 bytes
SHA-256: e2801a09ec95ab038685253cca9a17fa44c7680e6ffce0312cc4e3fcc3b7523b