Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbabcc03ac3e1e85…

MALICIOUS

PDF

75.2 KB Created: 2020-12-24 23:47:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ad92a8f2c19406fa4eb2449a67ad983a SHA-1: d0d7b0141b06fbc4faf9b01412810c799c8b3c3b SHA-256: dbabcc03ac3e1e8506bbfb7fb36c82b3f712d850a613b23e5fda031e8bcea430
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link to a known malicious redirector, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URL point towards a phishing lure, likely using embedded JavaScript to facilitate the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?utm_term=ellen+foley+nude
    • https://cdn-cms.f-static.net/uploads/4418556/normal_5fbc43d92c951.pdf
    • https://cdn-cms.f-static.net/uploads/4418991/normal_5fad4aeecff83.pdf
    • https://cdn-cms.f-static.net/uploads/4502188/normal_5fd65c4217d71.pdf
    • https://cdn-cms.f-static.net/uploads/4420238/normal_5f9619fb568d1.pdf
    • https://cdn-cms.f-static.net/uploads/4373753/normal_5fd317bd1fc38.pdf
    • https://cdn.sqhk.co/jegisizozul/R4Etv3S/buy_lightroom_software_for_mac.pdf
    • https://cdn-cms.f-static.net/uploads/4474475/normal_5fd6526731802.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/wuxupewu/62850609920.pdf
    • https://s3.amazonaws.com/rokuwapesu/57613559824.pdf
    • https://s3.amazonaws.com/kisimujuk/minecraft_pe_update_apk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed64.bin
5ecedf8d3cca673e58de7afbfd739b90c0bb60bf5bf9233369ff642eb3d223d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED64 4476 bytes
font_01_sfnt_off0000fcbf.bin
c61540a0cd6f4efd60fdbbf735d82047cc6001937eae7b8135d8986cb69ee548		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCBF 10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.