PDF malware analysis — malicious · fe1b1d9860cfc0bf

MALICIOUS

PDF

66.3 KB Created: 2020-12-10 11:57:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 878e97b13cdd600fdecf054d4148e473 SHA-1: dc828a7745b35680dc72948d6ff69c6b6f6b2795 SHA-256: fe1b1d9860cfc0bf6a3c2d816c2ca3cc8cae395a583508f4d71d16857bd5d2a2

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure, specifically `https://gettraff.ru/aws?utm_term=asus+zenfone+5z+android+9+pie+update`. ClamAV also detected this file as `Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0`. The document body, though heavily obfuscated, suggests a lure related to an Android update, aligning with a phishing attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://gettraff.ru/aws?utm_term=asus+zenfone+5z+android+9+pie+update
- https://cdn-cms.f-static.net/uploads/4375896/normal_5f8afdef628ba.pdf
- https://cdn-cms.f-static.net/uploads/4469386/normal_5fb03beb99159.pdf
- https://cdn-cms.f-static.net/uploads/4528959/normal_5fc089b0e116d.pdf
- https://cdn-cms.f-static.net/uploads/4408596/normal_5fab155ec1f35.pdf
- https://cdn-cms.f-static.net/uploads/4366000/normal_5f9fd5584440b.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fc0d4a28139af037644e7e6/t/5fc544cd2dd96f59189a9a1f/1606763728312/ravi_jagadeesan_harvard.pdf
- https://s3.amazonaws.com/tarizirefevifab/46851566045.pdf
- https://uploads.strikinglycdn.com/files/931058f4-de6a-432d-bcf3-e58d95e45af7/29553309170.pdf
- https://uploads.strikinglycdn.com/files/1f621176-cedc-489d-b907-15df47f7a34d/55130489478.pdf
- https://static1.squarespace.com/static/5fc1bb67bdb33045eec822d5/t/5fc5034608845d092427da52/1606746954557/wozuw.pdf
- https://static1.squarespace.com/static/5fc527e6403f5353fdb14542/t/5fcfed95f034cb7e8e4a8cb2/1607462294160/nejawuxubejarobadiz.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c513.bin` `5c083c0ed8f30ad2ce8ea635d6bb7d0581e5a2ecad7ee6b59b9bbfc844002f76`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC513	5320 bytes
`font_01_sfnt_off0000d749.bin` `2274a389b15f34f13b668c2d5bc2fb6b5b84ebe2b381a503fe885cee4da98bfe`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD749	10768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.