Malicious PDF — malware analysis report

Static analysis result for SHA-256 5076d81c734ece41…

MALICIOUS

PDF

38.2 KB Created: 2020-10-02 09:42:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 8420c63c6ef584e5ca7c0d18ec6b2040 SHA-1: ac163d23b3e5d0c40cbdd0f759ff0f9dfe43d049 SHA-256: 5076d81c734ece4139b013feda184daf74fd57889316c8855f840af4475b2fee
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded links, many of which point to a redirector service. The primary redirector URL, https://gettraff.ru/strik?keyword=examen+diagnostico+de+ingles+tercero+de+secundaria, is flagged as malicious and likely serves as a lure for phishing or malware distribution. The document body, though heavily obfuscated, contains this URL and other benign-looking Shopify links, suggesting a tactic to disguise malicious intent within a large number of links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=examen+diagnostico+de+ingles+tercero+de+secundaria In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0440/6332/6358/files/52712417892.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/1412/6759/files/conan_exiles_item_id_numbers.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0476/4975/1206/files/77369607292.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/1322/6143/files/physical_vs_chemical_changes_worksheet.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/3579/4327/files/different_types_of_texts.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/37c2a10d-6cbf-4725-b618-1bac2b5cc985/fuzafineza.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/85410d6c-9101-4edf-9b0a-ef40414b2354/40815126087.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6345ac91-cc0e-4568-b42b-4cff2286d3a3/nubeme.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/1415/9521/files/middle_school_wrestling_near_me.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0501/1436/3557/files/union_movie_theater.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/4891/9455/files/zoot_suit_riot_song_lyrics.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/8708/5222/files/57295791195.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062ca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x62CA 5284 bytes
SHA-256: 569aa00ca6f4ba2d1c2f50fcaea365804c8ee55d044e94e8149161559958ad2f
font_01_sfnt_off000074b1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x74B1 12128 bytes
SHA-256: 42354a444a3bf2d38682b59f2903d00569dbfa6dbb26e23b76209f8d9291eb22