Malicious PDF — malware analysis report

Static analysis result for SHA-256 049eabc0cf00d6ff…

MALICIOUS

PDF

43.2 KB Created: 2020-11-01 04:01:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ff1a93b42af91e0339c14ccfc9407f7 SHA-1: 52ddd6c610182d50039e359c99190af85705a963 SHA-256: 049eabc0cf00d6ff52db46cd0b63c69404323f6493a8deb3c41671dd4ac9bb0f
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The embedded URL, 'https://gettraff.ru/123?keyword=sonic+2+cheats+xbox+one', is presented within the document body, likely as a lure. While no scripts were extracted, the presence of a malicious URL strongly suggests an attempt to redirect the user to a harmful site, potentially for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?keyword=sonic+2+cheats+xbox+one
    • https://cdn-cms.f-static.net/uploads/4387229/normal_5f9b253986a8c.pdf
    • https://ravidaxixow.weebly.com/uploads/1/3/4/3/134315840/6262652.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0500/0334/5558/files/airworthiness_procedure_manual_chapter_17.pdf
    • https://uploads.strikinglycdn.com/files/ca1dabe3-58dc-4873-a4df-682a8b1b52ea/rigomajimikutoren.pdf
    • https://cdn.shopify.com/s/files/1/0497/8701/1221/files/pronombres_en_ingles_ejercicios.pdf
    • https://cdn.shopify.com/s/files/1/0495/9436/8163/files/peviwejibu.pdf
    • https://uploads.strikinglycdn.com/files/f21d928d-4431-4b5c-b5fd-ece083b54449/93722673279.pdf
    • https://cdn.shopify.com/s/files/1/0496/0003/7027/files/dinozoxijere.pdf
    • https://cdn.shopify.com/s/files/1/0436/5955/9065/files/snap_peas_calorie_count.pdf
    • https://cdn.shopify.com/s/files/1/0268/7959/0597/files/gizanagalekobafagekanuda.pdf
    • https://uploads.strikinglycdn.com/files/53c6c216-1821-44b6-bb68-4a6d7db8a467/roy_lichtenstein_drowning_girl_facts.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b8f.bin
860dabc31fb7953f6c24bde5609a039fa5063471e9e7e675b10217a5644e4c81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B8F 5200 bytes
font_01_sfnt_off00007d43.bin
5da16d2a11f639da205d6041f5dc1314217fe334bb15248497162b56131b5766		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D43 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.