Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1df2b2899b8ef59…

MALICIOUS

PDF

70.5 KB Created: 2020-12-24 00:55:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-13
MD5: e22e642b9a1c9cffa9552b49ab178c63 SHA-1: edfc688f131b9bc98e5c4cfd83593ae214f039b6 SHA-256: c1df2b2899b8ef59f913f58bda44b5f720b4c03adcae9bab76663db925e66e30
156 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a malformed stream and a high-confidence ML classification indicating maliciousness. It also features a heuristic for an SEO redirector link, specifically pointing to 'https://trafftec.ru/aws?utm_term=creating+a+budget+worksheet', which is likely a phishing lure. The presence of embedded URLs and the overall structure suggest an attempt to redirect users to a malicious site, likely for credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/aws?utm_term=creating+a+budget+worksheet PDF link annotation
    • https://cdn.sqhk.co/bivadudit/hcicNii/pet_emergency_room_24_hours_near_me.pdfIn PDF document text
    • https://cdn.sqhk.co/nibedogoxov/R66txXd/texoxosu.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371013/normal_5f9b46d7d28ac.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4424630/normal_5fcf0bb26ab02.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366622/normal_5f894c0ec0a84.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408348/normal_5fb2b206d8096.pdfIn PDF document text
    • https://cdn.sqhk.co/lizupasepafu/Tjhjchc/35258959895.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366354/normal_5f883a10c88f2.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4477163/normal_5fdf70e57ad18.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4490746/normal_5fb3d35763bb3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369160/normal_5f9fdf4665ddb.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/61db33fa-246b-47dd-8b86-7377fdc47e10/whirlpool_washer_repair_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/df8c897e-73c0-42be-b3ad-3ec74d8f50ab/7532904347.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0304fa4f-def5-43ba-8523-a48d5d5f736b/82602315137.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e475741a-a639-4239-ad0b-ac8e54a3e66b/fewogomavibulagijep.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a2e67643-e942-4d6a-aab9-95d8e78bca68/93493554088.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c996.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC996 5256 bytes
SHA-256: 14f1d6a672c8752577b4f0427d1ef89d11d4f88bb29e8cfdaa1a712df655d5c9
font_01_sfnt_off0000db7b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDB7B 10340 bytes
SHA-256: 1c1df8fbc0bd42ac47242b61d098ea26ddd56d2968ad303c2cb1ab070e86456a
font_02_sfnt_off0000fec3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFEC3 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3

Open this report in the interactive analyzer, or submit your own file for analysis.