Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbb80109d6b4ff90…

MALICIOUS

PDF

42.5 KB Created: 2020-11-03 16:45:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 165250046b08cbb4de9c54e4aefe2191 SHA-1: 1e658aace5359746274da0022d3901f715e171f9 SHA-256: fbb80109d6b4ff90e826ec050e05f7b9a7398c3931533e8513bdae334e1ae57f
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, https://gettraff.ru/123?keyword=mill+city+oregon+fires+2020, is the primary indicator of malicious intent. The ML classifier also strongly flagged this PDF as malicious. The document body appears to be obfuscated or corrupted, but the URL is clearly visible.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?keyword=mill+city+oregon+fires+2020
    • https://cdn-cms.f-static.net/uploads/4375075/normal_5f8e0df90c12c.pdf
    • https://cdn-cms.f-static.net/uploads/4369302/normal_5f9fb0babfc37.pdf
    • https://cdn-cms.f-static.net/uploads/4368982/normal_5f9fc9d57f733.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/16e62200-d4c8-4795-abde-fc1a45f08c9a/75559880901.pdf
    • https://uploads.strikinglycdn.com/files/9a32f743-f0ea-4aa5-bb16-5e72bcdbc400/xagewewuganuvulefufibuk.pdf
    • https://uploads.strikinglycdn.com/files/d74d8a81-877c-4254-866c-8c19615c5892/solving_two_step_inequalities_worksheet_maneuvering_the_middle.pdf
    • https://uploads.strikinglycdn.com/files/25ca4595-509f-4b2b-a133-02b64998f09e/kutupi.pdf
    • https://uploads.strikinglycdn.com/files/8064523f-c3ca-469c-8246-451bd4fb07ab/tisepar.pdf
    • https://uploads.strikinglycdn.com/files/a7b5e604-631e-4d42-89de-2b416b39a502/43646713552.pdf
    • https://uploads.strikinglycdn.com/files/c80e4402-9219-4fe8-8766-f32624496f2c/xuzujos.pdf
    • https://uploads.strikinglycdn.com/files/c8bd20f5-b48c-4c80-9a20-027e18289242/rufafegozemulusomi.pdf
    • https://uploads.strikinglycdn.com/files/0f23fd71-179a-4a95-a9d7-3845588575ed/16507636010.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000672e.bin
2b70302d3a38dd3ee189a551fc6562ed7f776ce0a97dab3897cbee20b16dffb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x672E 5220 bytes
font_01_sfnt_off00007923.bin
4538e3aeee6bad82ffb49675080d4c98cf89b1adc929784787c6701c4660405a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7923 10840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.