Malicious PDF — malware analysis report

Static analysis result for SHA-256 2adca01c097a05f4…

MALICIOUS

PDF

58.8 KB Created: 2020-11-10 11:42:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a55442f9e3deb6dfad3243f8a325fef0 SHA-1: 4339953b5a7d14044243a2cb3d5343bb1a730cf4 SHA-256: 2adca01c097a05f4480b4442c87ba1d8848c1b9b68bed79a1435ef10c76dd0ef
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The embedded URL, https://gettraff.ru/strik?keyword=dewalt+dc970+18v+cordless+drill, is likely part of a phishing campaign to trick users into clicking on it. While no scripts were explicitly extracted, the PDF structure and the malicious link suggest an attempt to redirect the user to a malicious site, potentially for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8253

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=dewalt+dc970+18v+cordless+drill
    • https://cdn-cms.f-static.net/uploads/4377115/normal_5f8e6e004c92b.pdf
    • https://cdn-cms.f-static.net/uploads/4419820/normal_5f9739de63bf0.pdf
    • https://cdn-cms.f-static.net/uploads/4390373/normal_5f9154983af81.pdf
    • https://cdn-cms.f-static.net/uploads/4374536/normal_5f8dd39bc1fe0.pdf
    • https://cdn-cms.f-static.net/uploads/4372682/normal_5fa4438a24ed9.pdf
    • https://cdn-cms.f-static.net/uploads/4450356/normal_5fa3bc7e442e6.pdf
    • https://cdn-cms.f-static.net/uploads/4476007/normal_5fa8e74ab8792.pdf
    • https://cdn-cms.f-static.net/uploads/4387819/normal_5f93de82840df.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/petuzutemixuvod/bewusaboz.pdf
    • https://uploads.strikinglycdn.com/files/ee4f3a1d-8d6d-47e3-b0aa-0b9b9a1e1c79/56436743675.pdf
    • https://uploads.strikinglycdn.com/files/3ea7fd78-4062-4bda-a882-937535319643/home_hub_3000.pdf
    • https://s3.amazonaws.com/remoxi/72773870934.pdf
    • https://s3.amazonaws.com/wilugugo/ropuligelobatuxug.pdf
    • https://s3.amazonaws.com/rovikibixu/advantages_of_information_technology_in_education.pdf
    • https://s3.amazonaws.com/sazixipame/screen-o-matic_screen_recorder.pdf
    • https://s3.amazonaws.com/bulikowexunepov/how_long_is_greed_island_arc.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c99b.bin
3f67be895df79e47654e05802ecfe0c8359d7f3b93fddc4e9e72fe15d0c24141		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC99B 5708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.