Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a97ef8c63a20127…

MALICIOUS

PDF

25.9 KB Created: 2020-10-29 10:48:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 308cf6ed75ae98e7a99e9f5d8885ac15 SHA-1: fdc90b5da100ef37c9509ffcf9a2db35e2b2fd70 SHA-256: 8a97ef8c63a20127767f9744145b02f404ce9fb9465226920bbb406f3f4eb27b
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that is flagged as a malicious redirector. The document body, though heavily obfuscated, appears to contain the same URL, suggesting a phishing or social engineering lure. The primary function seems to be directing the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=telugu+moral+stories+in+telugu+language+download
    • https://jexumaravoza.weebly.com/uploads/1/3/4/2/134265375/bezaxarotematu.pdf
    • https://cdn-cms.f-static.net/uploads/4379849/normal_5f8ae663c60d4.pdf
    • https://zuzuxaze.weebly.com/uploads/1/3/4/0/134040629/silufelogedo-buxati-bexabojabiva.pdf
    • https://turikiripejuz.weebly.com/uploads/1/3/4/5/134501804/1732916.pdf
    • https://cdn-cms.f-static.net/uploads/4368979/normal_5f90c9abc13db.pdf
    • https://forunevelaviwa.weebly.com/uploads/1/3/4/3/134392474/1444748.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tetazino/3m_healthcare_product_catalog.pdf
    • https://uploads.strikinglycdn.com/files/b0626a75-25e8-4c5c-b153-5ed30b5ee565/bapirovoka.pdf
    • https://s3.amazonaws.com/zidosozawok/mobirorubididovuwi.pdf
    • https://uploads.strikinglycdn.com/files/13fdc985-b97a-4a30-a872-6fccfed5bcfb/53822658485.pdf
    • https://s3.amazonaws.com/pozokimepe/academic_word_list_for_ielts_with_meaning.pdf
    • https://uploads.strikinglycdn.com/files/4eb81979-42ea-4664-a9e8-27104d8bdaa6/nitajiwebadafikosapepawi.pdf
    • https://s3.amazonaws.com/sulasatevirexo/cbse_class_12_chemistry_question_paper_2012.pdf
    • https://s3.amazonaws.com/mijedusovineti/31436972639.pdf
    • https://uploads.strikinglycdn.com/files/157e65fe-996a-4eff-9d1c-9f6ab89d07d4/xugagogutateta.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a87.bin
ae0c4c1c05fb47f8b34441ad989aa684e7d9880206eb55d0485cb2ecb8ade180		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A87 5188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.