Malicious PDF — malware analysis report

Static analysis result for SHA-256 26cfba80e1639caa…

MALICIOUS

PDF

33.5 KB Created: 2020-11-06 12:51:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ac1e5363920305f00695fa0e2dd59532 SHA-1: 70983b54ceaefd34bba68b80dbe4095c61ef9b57 SHA-256: 26cfba80e1639caa8faafffa319a172d81322b6569e3027f30fc1d9034f2df69
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ggtraff.ru'. This URL is embedded within the document body and likely serves as a lure to a phishing site or malware download. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the presence of a malicious redirector is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=strike+force+heroes+2+hacked+weebly
    • https://dikanutedageke.weebly.com/uploads/1/3/4/4/134457663/6580920.pdf
    • https://wemibevufiwoseb.weebly.com/uploads/1/3/0/8/130813314/0fa7151.pdf
    • https://vuriluwaloseg.weebly.com/uploads/1/3/4/4/134492921/lagojitu.pdf
    • https://faxegosesu.weebly.com/uploads/1/3/4/5/134528451/tugor.pdf
    • https://senabexe.weebly.com/uploads/1/3/4/2/134265557/6631544.pdf
    • https://bagexefegaluja.weebly.com/uploads/1/3/4/3/134393574/16f1ded.pdf
    • https://gomemetunugup.weebly.com/uploads/1/3/2/7/132712315/desojepiliw-jakuxavinotovot-givijidupudu-wulunovu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zetare/geometry_chapter_7_review_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/aeee8838-9048-46a6-8c3b-5a11fbdc6cc3/firaretokewefes.pdf
    • https://uploads.strikinglycdn.com/files/ec78d8d6-0d14-41eb-acb9-aaabde08c2fa/bisafomilemonanugumus.pdf
    • https://uploads.strikinglycdn.com/files/71cceb9a-9a24-4965-9c4f-3a1a74007a20/behold_the_dreamers.pdf
    • https://uploads.strikinglycdn.com/files/00b06ef0-4104-4581-b02d-1ed7769114e7/piano_keyboard_letter_stickers.pdf
    • https://uploads.strikinglycdn.com/files/926c8a84-d328-45b8-b854-6b3654aac3f9/93200087012.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006849.bin
3ac2afd7f12af0a52133cbbac82947e5623f803fc22a9983063c5a7047032454		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6849 5740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.