Malicious PDF — malware analysis report

Static analysis result for SHA-256 dda341fedfbbe57a…

MALICIOUS

PDF

53.3 KB Created: 2020-11-02 17:08:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0746bfb7b0317dd0c3e0af9a847fd261 SHA-1: 1774c5281327612d017ff3b4494982e76af0d240 SHA-256: dda341fedfbbe57ac084ce77bf57599e64f4831c63bc95a6d847906e5edf2d15
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document was flagged by a machine learning classifier as malicious and contains a link to known malicious redirector infrastructure. The embedded URL `https://ggtraff.ru/strik?keyword=cesar+millan+wife+picture` is likely the initial stage of a phishing or malware delivery chain. The document body contains obfuscated text and a reference to the malicious URL, further indicating malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=cesar+millan+wife+picture
    • https://zekasujiminog.weebly.com/uploads/1/3/4/3/134366003/2726690.pdf
    • https://fidegobopoj.weebly.com/uploads/1/3/2/8/132815019/kojoninod_lubonazazo_toxutifubaxusi_mukijap.pdf
    • https://relugudikovok.weebly.com/uploads/1/3/4/2/134265752/c186f2ab8.pdf
    • https://fidurelofomus.weebly.com/uploads/1/3/0/7/130740547/zokuluvukeso.pdf
    • https://cdn-cms.f-static.net/uploads/4387420/normal_5f948b63bf96b.pdf
    • https://cdn-cms.f-static.net/uploads/4404755/normal_5f9987fa00aac.pdf
    • https://kuguzozivef.weebly.com/uploads/1/3/0/7/130739994/396ac2efd17e.pdf
    • https://cdn-cms.f-static.net/uploads/4367916/normal_5f97e7461347b.pdf
    • https://cdn-cms.f-static.net/uploads/4375907/normal_5f985d0b3c361.pdf
    • https://xedaliwim.weebly.com/uploads/1/3/1/4/131454603/sudamoraz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0508/6216/2118/files/binomial_nomenclature_definition_simple.pdf
    • https://cdn.shopify.com/s/files/1/0499/0933/4184/files/xepupebapojavenidakod.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008e3d.bin
bc587e6308a31282838b34853413f0bbe89bb6f0b9b2d6add7b5e7231da560bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E3D 5160 bytes
font_01_sfnt_off00009fc2.bin
b555608ef87bb910cffd0da061a61a2791817ceab1b651bd459877af30733a2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9FC2 12204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.