Malicious PDF — malware analysis report

Static analysis result for SHA-256 954dd392ce6d9732…

MALICIOUS

PDF

33.9 KB Created: 2020-10-30 17:42:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: c2f13b792127972ea14156b001e53dba SHA-1: bc8ddedd406e3d991ecc595cc7519c5776c678e1 SHA-256: 954dd392ce6d97320ae2893a44bbba9ff26989a099ddeb49054ac27a3e7ea8d3
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that redirects to a malicious domain, disguised as a search result for software. This indicates a phishing or redirection attempt to a malicious site. The ML classifier also flagged the PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/wb?keyword=sejda%20pdf%20editor%20full%20version In PDF document text
    • https://cdn-cms.f-static.net/uploads/4367903/normal_5f8db7886c362.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4382208/normal_5f8b4d40906b8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380237/normal_5f8d290aa5b74.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366354/normal_5f8c2aa3ae49c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380393/normal_5f8ba3ff757eb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4425912/normal_5f9aa4755ba17.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0479/6003/1399/files/basiwezamuseliro.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0503/9410/3995/files/the_stranger_picture_book.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0480/3022/0447/files/56215261227.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0483/6333/9927/files/85879736935.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/1508/5473/files/my_tuner_radio_apk.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/3038/7607/files/whatsapp_new_apk_download_2020.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0505/5171/8070/files/volvo_articulated_dump_truck_operator_manual.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fb8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5FB8 5272 bytes
SHA-256: 1fd6c0528f617d9e72d0a27d86440648bfec0de9e430479763b284b9fd2a56ff

Open this report in the interactive analyzer, or submit your own file for analysis.