Malicious PDF — malware analysis report

Static analysis result for SHA-256 a981a7bbbe564ffd…

MALICIOUS

PDF

34.6 KB Created: 2020-10-02 04:55:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1eba563c471e3f14587b0d7f82a67c1d SHA-1: 47b8df63e67b7538f38d0bc3b7e373ef7986744b SHA-256: a981a7bbbe564ffdbff41cf63d19683ec132f9e30c3571ec31f48bc33154c6f9
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that is flagged as a malicious redirector. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains the same malicious URL, suggesting an attempt to lure the user to a harmful site. No scripts were extracted, but the presence of a malicious redirector is a strong indicator of a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=clases+para+adolescentes+de+escuela+dominical
    • https://site-1036839.mozfiles.com/files/1036839/pawawuforanegas.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0486/2872/7966/files/is_benzene_polar_aprotic_solvent.pdf
    • https://cdn.shopify.com/s/files/1/0433/4302/0183/files/vizio_p55-f1_calibration_settings.pdf
    • https://cdn.shopify.com/s/files/1/0434/7687/7478/files/high_school_musical_script_copy_and_paste.pdf
    • https://cdn.shopify.com/s/files/1/0432/8158/0188/files/dxtory_full_version_download_free.pdf
    • https://uploads.strikinglycdn.com/files/2068daf0-be6b-4d7a-af73-6dbb3318a851/tiwavabiwixexubobigi.pdf
    • https://uploads.strikinglycdn.com/files/c541fdd1-54ad-445e-a60c-75b85a857478/rulawefir.pdf
    • https://cdn.shopify.com/s/files/1/0429/5308/0985/files/stephanie_pui_mun_law_patreon.pdf
    • https://cdn.shopify.com/s/files/1/0433/3692/5342/files/44070085412.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005be9.bin
a8a3238208cac9ea7c59ab861231e816251c22079d90dd6fe56a8a9dbd726748		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BE9 5124 bytes
font_01_sfnt_off00006d38.bin
ae5b620fe10cb0a364970a401c99458addb821e30650e30347436c26d5ea815d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D38 11048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.