Malicious PDF — malware analysis report

Static analysis result for SHA-256 b28124e82e784996…

MALICIOUS

PDF

69.9 KB Created: 2020-12-17 07:43:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d0bf524e5f5931d85b2ac07cb02abe61 SHA-1: 7de5b0616aea71a6f8864c6716fa1fa72c8ae468 SHA-256: b28124e82e7849960a08e2627edf860907ea9e2064d6d9e692d5588de55ec8f5
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded text referencing a "Dragon world hack generator" and a critical heuristic firing indicates it links to known malicious redirector infrastructure. The primary malicious URL identified is traffmen.ru, which likely serves as a lure to a phishing or malware distribution site. No scripts were extracted, but the PDF structure and malicious link suggest a phishing or social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/strik?utm_term=dragon+world+hack+generator
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/45d57bb0-a671-4220-bf5e-6b1be4bba20c/78914423949.pdf
    • https://uploads.strikinglycdn.com/files/d1dc5bcc-5ef9-4475-95b0-6b8ae1703b87/majidevisut.pdf
    • https://uploads.strikinglycdn.com/files/763d6a27-5f2b-45af-94e2-59dcb03de4c7/tulsa_public_schools_calendar_spring_break_2020.pdf
    • https://uploads.strikinglycdn.com/files/964b7a96-e7c1-40f0-8280-45133c3f3aa0/16504515752.pdf
    • https://uploads.strikinglycdn.com/files/73865f99-3468-4540-8c71-95e78f1ac5cd/86702664928.pdf
    • https://static1.squarespace.com/static/5fc65600f9866f3fd2f8cf86/t/5fcb5a001415195da0842712/1607162369500/25364039457.pdf
    • https://static1.squarespace.com/static/5fc3c655d26ff1194f85c811/t/5fd68bd39264095525d9e4a7/1607896019850/kokidosasejizef.pdf
    • https://static1.squarespace.com/static/5fc294b8ea4a794d564fdff1/t/5fc5f229eaf37e3b6469498b/1606808106120/xusepimunag.pdf
    • https://static1.squarespace.com/static/5fc130cd8787e879896ddc20/t/5fc568883c6ccf69f31514d4/1606772873786/venice_beach_florida_waterfront_hotels.pdf
    • https://static1.squarespace.com/static/5fc13e7dd49dd12447366960/t/5fc4a5003570fb44d1965f49/1606722817957/david_platt_counter_culture.pdf
    • https://uploads.strikinglycdn.com/files/ea83338b-6ac9-43e8-ac98-da455f036dad/tableau_tutorials_point_videos.pdf
    • https://uploads.strikinglycdn.com/files/a502a965-7941-4d50-af34-db6b6aa50610/72875780488.pdf
    • https://static1.squarespace.com/static/5fc57748a13a450bab133b8c/t/5fcb41926fd93023bc024c11/1607156116557/woziwesaxexasojipubowi.pdf
    • https://uploads.strikinglycdn.com/files/6cd84457-9a6f-47d6-82ae-298588a20931/xisiwokez.pdf
    • https://uploads.strikinglycdn.com/files/d90fe531-e9e4-49db-a7e7-37eebd70d9b3/vevujimiluvasokunividaxup.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d616.bin
291871e0309014353087e47cdb01a512dc851da05337dfa9aaf2192ee21dc952		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD616 5176 bytes
font_01_sfnt_off0000e7bf.bin
3e9e555fa99f217e62e34ecb21a115c518c3f76f9f8e72ea74f6867b99ce2646		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7BF 10120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.