Malicious PDF — malware analysis report

Static analysis result for SHA-256 9defedceb6b94a03…

MALICIOUS

PDF

80.4 KB Created: 2020-11-03 10:44:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cc9f21c3d303d6f881c05da6d6b91927 SHA-1: 134464b4e1844775391d4b942d7ea041dc50d022 SHA-256: 9defedceb6b94a0375e205f7524beefcfa6e8ee6310aa4919a01c3ce7c69b31d
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The embedded URL 'https://ggtraff.ru/123?keyword=one+hundred+years+of+solitude+pdf+spanish' is the primary indicator of malicious intent. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains this URL, suggesting it's the intended lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/123?keyword=one+hundred+years+of+solitude+pdf+spanish
    • https://keniwuki.weebly.com/uploads/1/3/1/4/131483234/32e063a95e.pdf
    • https://cdn-cms.f-static.net/uploads/4368998/normal_5f926d6235bea.pdf
    • https://vutameko.weebly.com/uploads/1/3/4/5/134576445/xakoxisuzogen.pdf
    • https://cdn-cms.f-static.net/uploads/4387703/normal_5f8dc28f51a0e.pdf
    • https://koxoganonigowup.weebly.com/uploads/1/3/1/4/131408343/lapasajojiwulir.pdf
    • https://panemomozig.weebly.com/uploads/1/3/4/5/134503052/bopajo_morazavoxewux_levixanuj.pdf
    • https://cdn-cms.f-static.net/uploads/4367925/normal_5f8c24116e00e.pdf
    • https://cdn-cms.f-static.net/uploads/4401714/normal_5f9c8d3f163aa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/459ded51-b2dd-4585-a93a-85d14a575e9d/89875129004.pdf
    • https://uploads.strikinglycdn.com/files/9a01f388-307d-4914-ac3c-b1a78e67197e/modibupasasapofinugodo.pdf
    • https://uploads.strikinglycdn.com/files/257749c3-7bbc-4515-8a4a-15b4dabe873b/fekozobiravenu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1c5.bin
cdbd4d78a5666924e6e0374780fecd567a504651417817aefdfab6749e69d0bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1C5 3076 bytes
font_01_sfnt_off0000fcc4.bin
9395532d36fd4ced61ceb951be130624ba506ca0ca54356745369339197772bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCC4 5256 bytes
font_02_sfnt_off00010ea5.bin
866218cad8addd7403c06d10d1e96b786f819972f47f3d2a3108fd095f6d5f71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EA5 11384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.