Malicious PDF — malware analysis report

Static analysis result for SHA-256 16d062d280f1234d…

MALICIOUS

PDF

33.6 KB Created: 2020-11-02 15:33:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ec1ccc43831918b29331ae0d534cae81 SHA-1: cdce41e96e3f50d6320b0db1ec262c82e532b7e1 SHA-256: 16d062d280f1234d8c95767da8293859bcb29e2ac571c943150db71e300f684a
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The embedded URL `https://gettraff.ru/aws?keyword=webmd.com+official+sitetarlov+cysts` is a strong indicator of malicious intent, likely leading to a phishing or malware download site. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to lure the user to a malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=webmd.com+official+sitetarlov+cysts
    • https://xiwajuropoji.weebly.com/uploads/1/3/4/3/134371127/benigisuxavulosegepe.pdf
    • https://jubonofu.weebly.com/uploads/1/3/4/2/134234671/xotagarebonejoliza.pdf
    • https://kegegofelev.weebly.com/uploads/1/3/2/6/132681159/a92d7ab06b8.pdf
    • https://cdn-cms.f-static.net/uploads/4375890/normal_5f8c799f0ebb6.pdf
    • https://fozafilamo.weebly.com/uploads/1/3/4/3/134314768/wadejuwoji_jumur.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8cdfa214-df90-40b9-95f3-a0cdb0ea0105/gutunetuselesovisaba.pdf
    • https://uploads.strikinglycdn.com/files/97b85cdd-3d0b-4674-8cd1-7adb8cff0497/32731540835.pdf
    • https://cdn.shopify.com/s/files/1/0483/5291/9703/files/zerutikud.pdf
    • https://uploads.strikinglycdn.com/files/c99962ec-4fef-40c2-9490-332741a3d0fd/53180771832.pdf
    • https://cdn.shopify.com/s/files/1/0484/5489/3722/files/code_combat_17.pdf
    • https://cdn.shopify.com/s/files/1/0437/9446/4929/files/honeywell_t6_pro_installation_manual.pdf
    • https://uploads.strikinglycdn.com/files/30161988-a28e-464c-9166-90b20b811f76/kuxadutowuzevifusabekepe.pdf
    • https://cdn.shopify.com/s/files/1/0428/3603/3695/files/dovopuzusamobiju.pdf
    • https://uploads.strikinglycdn.com/files/5d551140-9acc-44fb-99a5-a5fcb7cac96a/30856473075.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006512.bin
82887934fee466d9f1c3f82caa01a3291b02cb53bf211ed77fc821a0b58d24ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6512 5516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.