Malicious PDF — malware analysis report

Static analysis result for SHA-256 d01636ee5bb524ec…

MALICIOUS

PDF

34.7 KB Created: 2020-11-01 07:20:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1afca319cfca62a8baba3e0c292a5896 SHA-1: becb11a4811b7acc566beac1c4943b90ed5b384e SHA-256: d01636ee5bb524ece54137eb28439e4801a265e1da0fb4bf4ac70d36e94f4d78
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://gettraff.ru/aws?keyword=skyrim+ebony+ingot+farm'. The ML classifier also strongly flagged this PDF as malicious. The embedded URLs suggest a campaign aiming to lure users to external, potentially malicious, content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=skyrim+ebony+ingot+farm
    • https://cdn-cms.f-static.net/uploads/4378425/normal_5f96704acc5e2.pdf
    • https://pagogaxuzogujo.weebly.com/uploads/1/3/3/9/133997845/wesaxilire-pafafidud.pdf
    • https://tidemipevu.weebly.com/uploads/1/3/0/7/130740592/tupasominivok-nerarokisexa.pdf
    • https://nitiruminaxodax.weebly.com/uploads/1/3/0/7/130738633/32ff583ac1467.pdf
    • https://cdn-cms.f-static.net/uploads/4368964/normal_5f9045852534f.pdf
    • https://nudojafobedem.weebly.com/uploads/1/3/1/3/131379550/vopisovaz.pdf
    • https://cdn-cms.f-static.net/uploads/4383444/normal_5f9667cf45f2e.pdf
    • https://loxuvamozevu.weebly.com/uploads/1/3/4/3/134310095/jokesigujimevotiw.pdf
    • https://juzomewe.weebly.com/uploads/1/3/4/3/134350864/mabewel.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0503/4331/3604/files/pisusuwizedopolekodiputuj.pdf
    • https://cdn.shopify.com/s/files/1/0499/1565/8401/files/nosuxepezoluti.pdf
    • https://cdn.shopify.com/s/files/1/0266/9051/9221/files/wegalotunipobazesexevobor.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000630d.bin
2e8bbac7a9d0ce09f26768726fe8d9a125f7e1d9e9522f871f5bb40abb7c4950		 pdf-font-stream PDF embedded font (sfnt) at offset 0x630D 3148 bytes
font_01_sfnt_off00006e49.bin
eaf77fa76dff7cc264914eecaaa4c67e8eef03885232ef3e7b4998f85c350a31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E49 5288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.