Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c41a5cee730a23d…

MALICIOUS

PDF

26.0 KB Created: 2020-10-30 19:11:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f773c263b7dd2d2a85556eb192cb7fed SHA-1: 49ab8dbf8315741c6dbac7f0e177068e322689a4 SHA-256: 7c41a5cee730a23d48172392e6da8fcc68a02307f8d4fa8e07fb162459fde7d9
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The ML classifier also flagged the document with high confidence. The embedded URL 'https://gettraff.ru/aws?keyword=inflatable+pikachu+costume+ebay' is the primary indicator of malicious intent, likely serving as a lure for a phishing or malware download. No scripts were extracted, but the PDF structure itself facilitates the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=inflatable+pikachu+costume+ebay
    • https://jiketajaw.weebly.com/uploads/1/3/4/4/134464131/2293360.pdf
    • https://vuxozajuje.weebly.com/uploads/1/3/1/3/131379873/8980310.pdf
    • https://beritugemob.weebly.com/uploads/1/3/4/3/134332724/db9c1cc1c5ed5e.pdf
    • https://popekuzukije.weebly.com/uploads/1/3/4/4/134471955/tazir.pdf
    • https://cdn-cms.f-static.net/uploads/4368250/normal_5f8f2a49005c3.pdf
    • https://nogomikosisodop.weebly.com/uploads/1/3/2/6/132681488/6263493.pdf
    • https://cdn-cms.f-static.net/uploads/4417670/normal_5f9a098e411b2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/83d25173-9614-465e-8206-33ba1a458b64/16598065001.pdf
    • https://uploads.strikinglycdn.com/files/b1040758-b9ee-4ef6-81e8-9ffce1d56a0a/34698835412.pdf
    • https://uploads.strikinglycdn.com/files/f5ac38b2-5fcd-4ca9-9407-0b453d69605f/43154312749.pdf
    • https://uploads.strikinglycdn.com/files/46829892-3571-4da8-ae3f-4d19bce1b2c5/90849474371.pdf
    • https://uploads.strikinglycdn.com/files/20075c1a-9997-4491-8901-08285f1071bb/potter_box_example.pdf
    • https://uploads.strikinglycdn.com/files/e3b49e7e-7439-4264-b262-51aa9f5a6bd1/3812031126.pdf
    • https://uploads.strikinglycdn.com/files/382f46e8-3047-4509-994d-ed447770464f/wulixirazadejuwewanepixe.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000044cb.bin
4267bf28e83dead3c49c97ea566aad9a794dd18f9efa0650ab448781594e74dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x44CB 5400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.