Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ee87539547fcd76…

MALICIOUS

PDF

42.3 KB Created: 2020-11-04 12:11:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e86f14083753ad1c364e66eab6f2e940 SHA-1: 2eca2513ba283c2ddd4479bcd6fe1b6e036d4e41 SHA-256: 2ee87539547fcd76a4fab1282a349ba270855d30a1fb756bab43e1acec352c31
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to known malicious redirector infrastructure, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The embedded URL, https://gettraff.ru/strik?keyword=reviews+on+total+people+plus+vitamins, is likely used to funnel victims to a malicious site. While no scripts were explicitly extracted, the PDF structure and the presence of embedded URLs suggest an attempt to deliver a secondary payload or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=reviews+on+total+people+plus+vitamins
    • https://cdn-cms.f-static.net/uploads/4366337/normal_5f9a0f1cc0c69.pdf
    • https://cdn-cms.f-static.net/uploads/4402940/normal_5f9b8de1e98e6.pdf
    • https://cdn-cms.f-static.net/uploads/4379230/normal_5f8a5ed1682cd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3dddcac5-54bf-4934-b6c7-ae9f99d4f96f/american_express_companion_pass.pdf
    • https://uploads.strikinglycdn.com/files/0de98e3f-e709-4b79-81c9-cb00f014353f/tadezusabexozapitidavedi.pdf
    • https://uploads.strikinglycdn.com/files/24411646-be82-4ba3-a3a6-f2af1d404870/24638458611.pdf
    • https://s3.amazonaws.com/fasanag/fazeligukimegasepuvu.pdf
    • https://s3.amazonaws.com/punagilelabon/the_weight_of_glory.pdf
    • https://s3.amazonaws.com/gupuso/lepebatadulobem.pdf
    • https://uploads.strikinglycdn.com/files/bd52a1a9-12c7-4a81-ad4c-d1838382d9d4/63611222567.pdf
    • https://uploads.strikinglycdn.com/files/9ff082cd-0643-4d89-8f5d-cc1c937a10cd/painting_party_ideas.pdf
    • https://uploads.strikinglycdn.com/files/ce1e6c00-1c51-4067-b33c-387d40406436/jufaxepekatixop.pdf
    • https://uploads.strikinglycdn.com/files/a19986ee-a222-43f9-a7b6-c3557bccc518/87111486044.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0000a199.bin
c0675d9848c8738e454af0f7458ae02b0908946fba9f43961b6cf3d8cf981caa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA199 2509 bytes
font_00_sfnt_off00006a6a.bin
af4b7dcac033890f16f30ba92778d8f55bfa6eb1819865e2424f411d78905808		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A6A 4912 bytes
font_01_sfnt_off00007b21.bin
215c86e4c59eada56c6afaec55fc50861da2b9b91972c8d618496b810d9b5829		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B21 11180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.