Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1b890e86c6030fd…

MALICIOUS

PDF

34.2 KB Created: 2020-10-31 13:08:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d18ec62047d767aca34df2c757021c48 SHA-1: 5f4d064217e27ed3e6aeb595ee1996a64ab5b709 SHA-256: d1b890e86c6030fd7a99f0c35e006a076c7c0340ca2f4102c6f3b1b6f95ab382
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains embedded links that point to known malicious redirector infrastructure, specifically 'ggtraff.ru'. The document body, though heavily obfuscated, contains references to the same URL. The presence of multiple embedded URLs and the critical heuristic firing for a malicious redirector strongly indicate a phishing or malware distribution attempt. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/aws?keyword=yoho+sports+band+screen+not+working
    • https://lepitosamodovax.weebly.com/uploads/1/3/4/3/134335454/9487793.pdf
    • https://cdn-cms.f-static.net/uploads/4366009/normal_5f9000ed4492f.pdf
    • https://cdn-cms.f-static.net/uploads/4412378/normal_5f9605974a6f8.pdf
    • https://cdn-cms.f-static.net/uploads/4382952/normal_5f94be9df2c82.pdf
    • https://jugoruzaja.weebly.com/uploads/1/3/1/4/131407370/rifusutafilo_puwudepilisejes_nibun_suvinabab.pdf
    • https://vuxozajuje.weebly.com/uploads/1/3/1/3/131379873/rezareludufiven-voxodopi.pdf
    • https://xifobosakup.weebly.com/uploads/1/3/2/8/132815359/9129687.pdf
    • https://cdn-cms.f-static.net/uploads/4384154/normal_5f9294fc507a1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0aeae186-c9f6-412d-b4dd-d03e86232d7c/password_manager_review_cnet.pdf
    • https://uploads.strikinglycdn.com/files/37a50ee7-12ff-4316-9244-e414745d56db/kisijorifiwoxovuwokadalu.pdf
    • https://uploads.strikinglycdn.com/files/be1b9aff-10d6-4cef-9cec-c1d3830d2318/33725337477.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000047f0.bin
254b5614d96ab75455c056043b3b03f20349cf47e226986b38c28a5689fde640		 pdf-font-stream PDF embedded font (sfnt) at offset 0x47F0 5560 bytes
font_01_sfnt_off00005ae0.bin
af3ed5150e7f7185aa49e8ddeffe16bb09df2bfbc317a017ce6dea27b8409506		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AE0 9860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.