Malicious PDF — malware analysis report

Static analysis result for SHA-256 dddf220644c211e3…

MALICIOUS

PDF

79.8 KB Created: 2020-12-30 03:57:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 47d52cd83e45f3df9d8198d834c1aa31 SHA-1: 1d4ebf426dddbf5bf7a8646a1eff372b0e3a7b6a SHA-256: dddf220644c211e352435b029b80ddf4a25f65a68d197b1c261a4484217599f6
254 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'traffmen.ru'. This, combined with ML classification and ClamAV detection, strongly indicates malicious intent. The document body, though heavily obfuscated, appears to be a lure related to shopping, likely intended to trick users into clicking the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/strik?utm_term=balenciaga+triple+s+red+outfit
    • https://cdn-cms.f-static.net/uploads/4457620/normal_5fad381442c44.pdf
    • https://cdn.sqhk.co/kumipexa/gVie3Az/84942038787.pdf
    • https://static.s123-cdn-static.com/uploads/4378605/normal_5feb58cd3b468.pdf
    • https://cdn.sqhk.co/rasufizo/gd8raii/craftsman_tools_made_in_usa_for_sale.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/6c3aac14-2c0a-4bf1-8fe5-f13da96686f3/xigokepivikesitovozakupa.pdf
    • https://s3.amazonaws.com/wipotegadodorek/anexo_v_simples_nacional_2019.pdf
    • https://s3.amazonaws.com/bitajemisajoz/software_canoscan_lide_110.pdf
    • https://uploads.strikinglycdn.com/files/6950b636-02b9-4847-b5a0-83b5e33dd22f/xezutuwuzukimekobesofokab.pdf
    • https://uploads.strikinglycdn.com/files/e774a1c9-172d-499b-9551-56d01ada7422/slader_chemistry_answers_chapter_19.pdf
    • https://uploads.strikinglycdn.com/files/b28bd8aa-2d12-4cbd-b5da-ec75f22c8006/nuwujupedugunojivera.pdf
    • https://s3.amazonaws.com/jeduzizonox/gikurejijovetixebifizijix.pdf
    • https://uploads.strikinglycdn.com/files/710fe53b-c082-4f1e-9d7b-ef9d364c87cd/descargar_battlefield_3.pdf
    • https://s3.amazonaws.com/sinamozagemoger/8765463130.pdf
    • https://uploads.strikinglycdn.com/files/dd095317-bf1b-4ac6-8bc2-38823fc0b249/lobizojasozuwirosizoma.pdf
    • https://uploads.strikinglycdn.com/files/6c9e9e70-b291-4865-9784-0893e98a80e2/3984404046.pdf
    • https://s3.amazonaws.com/gopuze/kugexajoxuwesav.pdf
    • https://uploads.strikinglycdn.com/files/023697a6-0566-4209-93f7-e991d0f3d8e3/47569869198.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee02.bin
02098e56c208dbad395129696a14e797a14e610ddcf08f5b5559f0a933ec1524		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE02 5256 bytes
font_01_sfnt_off0000ffe5.bin
079fce0e80a5d0f3e0d678bd6e2d7869ec67be4093febca522300c3daa73a409		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFE5 10496 bytes
font_02_sfnt_off000123ea.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123EA 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.