PDF malware analysis — malicious · f029c4a5c91ecded

MALICIOUS

PDF

78.8 KB Created: 2020-12-18 13:57:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b544dfd5f229c7153dbf2370566b5e68 SHA-1: 7eabe71069d8189753ccb60d3e80f4a71cb9a264 SHA-256: f029c4a5c91ecded3d5db3609c1a35ca945391bb8387b1780048aae579740edb

162 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, 'https://gettraff.ru/strik?utm_term=steam+crack+download', which is associated with phishing and malware distribution. The presence of a visual download button and the ClamAV detection as 'Pdf.Phishing.Trojan' further indicate a malicious intent to trick users into downloading harmful content. No scripts were extracted, but the overall structure and URL suggest a phishing lure.

Machine Learning

Nyx PDF Classifier malicious score 0.9996

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://gettraff.ru/strik?utm_term=steam+crack+download
- https://bizalaso.weebly.com/uploads/1/3/4/4/134443832/komugidumaji-pagarowixobe.pdf
- https://waxusebodik.weebly.com/uploads/1/3/4/5/134529962/damiliv.pdf
- https://tulivugid.weebly.com/uploads/1/3/4/6/134607321/tilemoxam_befowizesivufu.pdf
- https://cdn-cms.f-static.net/uploads/4377928/normal_5fad8279836e8.pdf
- https://cdn-cms.f-static.net/uploads/4408583/normal_5f92ecd29cb97.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/wiremeresegikon/romesaviz.pdf
- https://s3.amazonaws.com/rebomedug/write_complex_number_in_rectangular_form_calculator.pdf
- https://s3.amazonaws.com/vajefam/excretory_system_worksheet_for_grade_5.pdf
- https://s3.amazonaws.com/forupokisip/51913529216.pdf
- https://s3.amazonaws.com/nalifij/laboratory_equipment_maintenance.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000edaf.bin` `c112b167cdb9f5850182299f5f3f9305cf2a9aa1b7813fd0b75ad99c10fcef0d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEDAF	5168 bytes
`font_01_sfnt_off0000ff3d.bin` `827be2f448084b3d58e028bf8124d43f99dd6ddd73dfb63b3d7404e5ef9ca088`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFF3D	15116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.