PDF malware analysis — malicious · f7f2a18f1fa8c80f

MALICIOUS

PDF

60.4 KB Created: 2020-12-17 01:56:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c39d8c36d6ef6737d3f20748ef1428b0 SHA-1: d50a564d14642e41e2c9fc31e5157bc19653d3df SHA-256: f7f2a18f1fa8c80fdba1ca458940f4235035a3a603c3d41274469280c174b435

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://gettraff.ru/aws?utm_term=gram+panchayat+ke+work+report'. ML classification and ClamAV also flagged the file as malicious. The document body appears to be malformed or truncated, but the presence of a malicious URL strongly suggests a phishing or malware distribution attempt, likely delivered as a spearphishing attachment.

Machine Learning

Nyx PDF Classifier malicious score 0.9992

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://gettraff.ru/aws?utm_term=gram+panchayat+ke+work+report
- https://cdn-cms.f-static.net/uploads/4419654/normal_5f9edbb198668.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://s3.amazonaws.com/derefe/puforowuvizaru.pdf
- https://uploads.strikinglycdn.com/files/c83e413d-12d9-4cf7-90ab-b98075f1221d/kizulajanoruf.pdf
- https://s3.amazonaws.com/zaxawetawupo/25292930253.pdf
- https://s3.amazonaws.com/xanebavifamopez/rutafowagegiwetapise.pdf
- https://s3.amazonaws.com/remavuj/18613463238.pdf
- https://static1.squarespace.com/static/5fcf1092ad06677b0d29db5b/t/5fd5f0f5acac596b0caeffa1/1607856375100/telecharger_whatsapp_apk_gratuit_pour_pc.pdf
- https://s3.amazonaws.com/jizubisetebof/94500178378.pdf
- https://uploads.strikinglycdn.com/files/50f10835-7bac-4d00-8211-34fbedf0d104/2595919043.pdf
- https://s3.amazonaws.com/subud/paracetamol_mechanism_of_action.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a63d.bin` `549a02d750bdc0bd874ab6299c884771eb226247178c08779b07516ee2c42a7b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA63D	4992 bytes
`font_01_sfnt_off0000b711.bin` `4aa084a00ddc01f0c65353ef68b0007b6917c940962e4566358ea6d6c70fe854`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB711	9336 bytes
`font_02_sfnt_off0000d70b.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD70B	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.