Malicious PDF — malware analysis report

Static analysis result for SHA-256 6fe52ea2302e3a13…

MALICIOUS

PDF

25.9 KB Created: 2020-11-03 20:13:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5870ae8c2ca666923782d5c96d9f6d8c SHA-1: c93b9362a2e10b0584a7f2e2f3e20f6a6befb1b5 SHA-256: 6fe52ea2302e3a136bd162eb4f7032b48435f0d02bb5dc0e936e93a18c5d937c
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://gettraff.ru/strik?keyword=stockx+seller+discount+code+2020'. The document body, though heavily obfuscated, also contains this URL and references 'Stockx seller discount code 2020', suggesting a lure. The ML classifier also flagged the PDF as malicious. No scripts were extracted, but the presence of a malicious redirector URL indicates an attempt to lead the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=stockx+seller+discount+code+2020
    • https://zunuduzeguw.weebly.com/uploads/1/3/4/3/134344012/3947579.pdf
    • https://xotiroxo.weebly.com/uploads/1/3/0/7/130776105/1299366.pdf
    • https://bafuvaki.weebly.com/uploads/1/3/4/3/134336870/6800446.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9a9e03dd-b49c-4f5e-abea-ce3d4ed658a8/dalamegoj.pdf
    • https://s3.amazonaws.com/pibabopuduj/sazanisugodomu.pdf
    • https://s3.amazonaws.com/fomaralunex/44051568087.pdf
    • https://s3.amazonaws.com/sazixipame/voltaire_candide_book.pdf
    • https://s3.amazonaws.com/bubeto/wipunavutubopomamini.pdf
    • https://uploads.strikinglycdn.com/files/ddd78658-544b-46e7-8b79-ab4fd66ba85e/bukejibija.pdf
    • https://uploads.strikinglycdn.com/files/cd3fbf30-926f-4416-ab12-44423826e37d/42482093945.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005040.bin
d61d310a354c837e19223e12abe9ceb7e3df0e581267d8c8e8f9b6fa954f527a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5040 5232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.