Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c98fb608c365742…

MALICIOUS

PDF

35.6 KB Created: 2020-10-30 06:03:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 010aed77b820e02d8e9da2927aab9188 SHA-1: 9dd1c012612c5e14a3d3819bde0a83cd2d43ea3a SHA-256: 6c98fb608c365742b5ad631740a71317928dded4402cebb0332796594fb8a4cf
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded URLs, one of which is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to URLs that likely serve as lures. The primary malicious URL identified is 'https://gettraff.ru/aws?keyword=nuance+pdf+converter+professional+8+compatibility+windows+10', which is likely used to redirect the user to a malicious site. No scripts were extracted, but the presence of malicious links suggests an attempt to trick the user into downloading further malware or visiting a phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=nuance+pdf+converter+professional+8+compatibility+windows+10
    • https://nukubutoti.weebly.com/uploads/1/3/2/3/132302768/zigabakajugamun-mebipujafow-jovovemelotafo-pemaxeguru.pdf
    • https://cdn-cms.f-static.net/uploads/4365653/normal_5f874be916141.pdf
    • https://cdn-cms.f-static.net/uploads/4370285/normal_5f9b5e2b274d5.pdf
    • https://cdn-cms.f-static.net/uploads/4386335/normal_5f971a4f9558b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b51d49fa-4c85-4a5b-b54c-4d123b9cf271/hp_compaq_dc5700_sound_drivers_for_windows_7.pdf
    • https://uploads.strikinglycdn.com/files/b6776801-e1fe-4019-b294-3f9976aeaa61/17515724654.pdf
    • https://s3.amazonaws.com/kizugokofo/56840235144.pdf
    • https://s3.amazonaws.com/lupebesu/convertible_bunk_beds_full_over_full.pdf
    • https://s3.amazonaws.com/subud/40882451451.pdf
    • https://s3.amazonaws.com/jofunoje/kobalt_wet_saw_manual.pdf
    • https://s3.amazonaws.com/felasorarabipis/age_of_empires_definitive_edition_cheats.pdf
    • https://s3.amazonaws.com/jojitagifuva/texepilaro.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000074cb.bin
6fbec8a50110eeff37b5956ad96ab56446fa0d8d897d202aca7957f642e21bf7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74CB 6052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.