Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a80fa5877344b9d…

MALICIOUS

PDF

34.7 KB Created: 2020-11-01 10:31:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6bef921635a18712dd5c1da5d7588751 SHA-1: a6c33048ba6e19f0f217d04c50914dc872ea3503 SHA-256: 7a80fa5877344b9d708ab5acdd016c204526b80f9ee6c28f29431029158e9809
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that points to a known malicious redirector. The ML classifier also flagged this PDF with high confidence. The document body, though heavily obfuscated, contains the same URL, suggesting an attempt to lure the user to a malicious site. No scripts were extracted, but the presence of a malicious redirector is a strong indicator of a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=belt+drive+ebike+2020
    • https://cdn-cms.f-static.net/uploads/4370989/normal_5f894a375891c.pdf
    • https://cdn-cms.f-static.net/uploads/4366400/normal_5f8779032d447.pdf
    • https://cdn-cms.f-static.net/uploads/4366993/normal_5f87579f6b102.pdf
    • https://cdn-cms.f-static.net/uploads/4369916/normal_5f9e45244a0fc.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0502/2570/9211/files/anelace_binary_clock_instructions.pdf
    • https://cdn.shopify.com/s/files/1/0504/4902/3145/files/79730777360.pdf
    • https://cdn.shopify.com/s/files/1/0430/9558/9018/files/citi_field_seating_map_with_rows.pdf
    • https://cdn.shopify.com/s/files/1/0503/3859/5012/files/fmea_4th_edition_ranking_table.pdf
    • https://cdn.shopify.com/s/files/1/0502/3861/9813/files/35400872761.pdf
    • https://cdn.shopify.com/s/files/1/0483/2319/9140/files/76023478060.pdf
    • https://s3.amazonaws.com/mejados/35086758372.pdf
    • https://s3.amazonaws.com/gumagabu/puzzle_and_dragon_guide.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f5e.bin
74da4238b6e216fa4a398bf51fd78cb0f8ead1e3b965c2161c744cc884d224ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F5E 5020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.