Malicious PDF — malware analysis report

Static analysis result for SHA-256 8dc5930729da3619…

MALICIOUS

PDF

30.1 KB Created: 2020-11-02 22:28:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8f97a87c7bd6d01089a7b6e771d21b31 SHA-1: ed73fd14cddd0f7cb52df18d3f611bb995cd98ab SHA-256: 8dc5930729da3619ca31d65290b7f7ebc179d1417c7bd5d0376cf9862a1434de
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://gettraff.ru/strik?keyword=harriet+tubman+movie+amc'. The document body, though heavily obfuscated, contains this same URL, suggesting it is the primary lure. The ML classifier also flagged this PDF with high confidence. No scripts were extracted, but the presence of a malicious URL indicates a likely phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=harriet+tubman+movie+amc
    • https://cdn-cms.f-static.net/uploads/4379485/normal_5f9d1fc93e9c8.pdf
    • https://cdn-cms.f-static.net/uploads/4378605/normal_5f9280265e5a4.pdf
    • https://cdn-cms.f-static.net/uploads/4371786/normal_5f92914f44b01.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6615ebbc-0485-4ca7-a0d8-e92abb0e969c/farmville_2_country_escape_winter_ev.pdf
    • https://s3.amazonaws.com/leguvefu/dukuxa.pdf
    • https://s3.amazonaws.com/zuxime/fundamentos_de_enfermeria_potter.pdf
    • https://s3.amazonaws.com/mawesenasijoser/viwinopilizotejukutate.pdf
    • https://s3.amazonaws.com/roware/95170798865.pdf
    • https://cdn.shopify.com/s/files/1/0501/4808/1834/files/99125632901.pdf
    • https://s3.amazonaws.com/nimuwet/transformers_animated_starscream_toy.pdf
    • https://uploads.strikinglycdn.com/files/d523a775-703a-439d-ad3d-9e8633c90a5b/paroles_comme_un_souffle_fragile.pdf
    • https://s3.amazonaws.com/pibajuwi/99248772630.pdf
    • https://uploads.strikinglycdn.com/files/90f801cb-23e7-4b35-a32c-421618aa543c/114925171.pdf
    • https://uploads.strikinglycdn.com/files/66ca30a1-1148-40a6-a289-f5954ed3d7ab/vefanudusakosoma.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067ba.bin
c9d682ce0153fe99458d150f30c023856333509f2412bbef0d28a477f9ea0c5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67BA 4896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.