Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fc284a4d141005d…

MALICIOUS

PDF

38.9 KB Created: 2020-11-06 03:30:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b14cb2b10e8ca9bc20d28189c39dcf91 SHA-1: 17fa74acdf7826dcc412a454541fdb79a545c99b SHA-256: 9fc284a4d141005d6d70cbf376781e4bce069de3bd4ea6264d28e5c8355986dc
76 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.007 JavaScript

The PDF document contains a lure related to a 'Ticketmaster access code' and directs the user to a suspicious URL, 'https://trafffi.ru/123?keyword=ticketmaster+access+code'. Heuristics indicate a browser extension installation lure, a common social-engineering tactic for malware delivery. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/123?keyword=ticketmaster+access+code
    • https://buwolerujagelav.weebly.com/uploads/1/3/4/5/134580081/bolofinuxexos_puxukev.pdf
    • https://genigudepa.weebly.com/uploads/1/3/1/0/131070712/6023986.pdf
    • https://cdn-cms.f-static.net/uploads/4369161/normal_5f8da59408219.pdf
    • https://cdn-cms.f-static.net/uploads/4426688/normal_5f9ac953466ce.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/sivanira/tebakemikuzanivinopa.pdf
    • https://s3.amazonaws.com/vuxalirudidel/zugujevezel.pdf
    • https://uploads.strikinglycdn.com/files/7999c6e5-b5ab-42fd-835d-58ac16e5188f/minecraft_unblocked_at_school_legacy.pdf
    • https://s3.amazonaws.com/susonanezaj/kendall_and_kylie_game_cheats.pdf
    • https://uploads.strikinglycdn.com/files/8723fc60-5b80-4d7e-bd1a-943a1f61ee77/tevadixaneduzer.pdf
    • https://uploads.strikinglycdn.com/files/bfcdaba3-aa8d-4fca-8788-3c75acf177bd/blank_facebook_profile_photo.pdf
    • https://s3.amazonaws.com/widofafane/word_whizzle_in_nature.pdf
    • https://s3.amazonaws.com/zuxadol/92412745069.pdf
    • https://s3.amazonaws.com/xazarujokemus/kubujex.pdf
    • https://s3.amazonaws.com/zabevog/super_mario_bros_rom_hacks_online.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000596c.bin
92d5790090df388597750be9d22f350837d60b8ccfb519ff6f0fed91b9415145		 pdf-font-stream PDF embedded font (sfnt) at offset 0x596C 5064 bytes
font_01_sfnt_off00006a8d.bin
6a6c326ef8af21a5fed0599c89d676040a99077887d96764ea1c1de70ea77587		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A8D 10124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.