Malicious PDF — malware analysis report

Static analysis result for SHA-256 95d60c4b960629a7…

MALICIOUS

PDF

34.7 KB Created: 2020-11-09 15:33:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 73ca50ce4ca9a1122606cba693eb834c SHA-1: 0fa88bd0af4e81242e2366de7aa9f64e1f641376 SHA-256: 95d60c4b960629a7796c452c78612ce36a7c0ac219714c7da895a62a4f64a579
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://traffmen.ru/aws?keyword=2004+saturn+vue+owners+manual+free'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary mechanism for luring the user to a malicious site. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/aws?keyword=2004+saturn+vue+owners+manual+free
    • https://cdn-cms.f-static.net/uploads/4382966/normal_5f8e373949c6e.pdf
    • https://ribufesoguvas.weebly.com/uploads/1/3/4/6/134680119/tomebon_warebomipemigov_jukix_giwasoposu.pdf
    • https://gevafitasib.weebly.com/uploads/1/3/1/3/131380901/e27909d0be.pdf
    • https://cdn-cms.f-static.net/uploads/4366633/normal_5f98dc2334c60.pdf
    • https://worikakejimo.weebly.com/uploads/1/3/4/4/134466185/9d43f3246e9b.pdf
    • https://dasujodiket.weebly.com/uploads/1/3/4/4/134481559/314869.pdf
    • https://cdn-cms.f-static.net/uploads/4387226/normal_5f99092abb693.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/rorives/punofaji.pdf
    • https://uploads.strikinglycdn.com/files/c83e4869-6a2b-4ab4-86fd-6b2e12a04459/99009166506.pdf
    • https://s3.amazonaws.com/bezutu/bng_tun_hon_ha_hc_lp_8.pdf
    • https://s3.amazonaws.com/wotodedaruzuk/chill_factor_chart_the_conjuring.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068d8.bin
0f71d1c8220a897dcad8d19ae501f8be76d72196b83344fa09a31437a644d38b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68D8 5168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.