Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a18e5127859fcfc…

MALICIOUS

PDF

63.2 KB Created: 2020-12-17 07:20:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fefdd159eb5dafc13f956369ca860bb4 SHA-1: 78324cb73bf9449520aad2c1ce9e681bf2871c38 SHA-256: 9a18e5127859fcfc361e2a4ae5ffd1f311f908e88725040dd316c4ee5d29cdba
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to a URL that is likely part of a phishing campaign. The ML classifier also strongly indicated maliciousness. While no scripts were extracted, the presence of a malicious URL within the document body suggests an attempt to redirect the user to a malicious site, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?utm_term=abel+korzeniowski+letters+sheet+music
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/nosepevozux/45886829118.pdf
    • https://s3.amazonaws.com/sakaburepagase/maytag_maxima_front_load_washer_manual.pdf
    • https://static1.squarespace.com/static/5fc1ae84085bf90c0e029602/t/5fc99f56887b444c6150c805/1607049046533/gewokozotiligif.pdf
    • https://s3.amazonaws.com/tojabixefova/camerax_android_tutorial.pdf
    • https://s3.amazonaws.com/kezemiradigu/59430916599.pdf
    • https://s3.amazonaws.com/biwuwukesazef/39094301781.pdf
    • https://s3.amazonaws.com/leguvefu/venodozagebu.pdf
    • https://s3.amazonaws.com/nezanurugega/73105840237.pdf
    • https://static1.squarespace.com/static/5fc5cb6d104edf1d77a2bf71/t/5fce4650d336b863f0efe15e/1607353936462/2020_defender_carplay.pdf
    • https://s3.amazonaws.com/rorives/notewenub.pdf
    • https://static1.squarespace.com/static/5fc79e65579eee3ae06ed292/t/5fca7b0ccef45959076b5eef/1607105293737/34188303238.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b66e.bin
1dfc007a256999bca715d7dfcbb000fa283a036cbc0a3da753627bd79659b20e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB66E 5164 bytes
font_01_sfnt_off0000c7f2.bin
0a4fa34887b09ca3c073a7c7fd13c686b21e9b477dbd2785bfe19783dca1fe50		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC7F2 12340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.