Malicious PDF — malware analysis report

Static analysis result for SHA-256 e30bb60645fa96a3…

MALICIOUS

PDF

34.7 KB Created: 2020-11-03 06:14:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b4fa620bcc00351fef8d4f36e71d8f80 SHA-1: 05db8b5b80535520e519e26a4f67ac9345becb04 SHA-256: e30bb60645fa96a3f761f0ac67e0ca8340b00c524f1bede9f67693d42f25ec36
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, many of which point to a link farm designed to redirect users to potentially malicious content. One prominent URL, https://gettraff.ru/strik?keyword=applied+math+problems+and+answers+pdf, is flagged as a malicious redirector. The document body, though heavily obfuscated, contains similar text, suggesting a lure to disguise the malicious link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=applied+math+problems+and+answers+pdf
    • https://cdn-cms.f-static.net/uploads/4365525/normal_5f883d5f7e787.pdf
    • https://cdn-cms.f-static.net/uploads/4381081/normal_5f8d16e790a32.pdf
    • https://cdn-cms.f-static.net/uploads/4366350/normal_5f871ac6da26b.pdf
    • https://mupibidegupek.weebly.com/uploads/1/3/0/8/130874042/a6ecbf06788df.pdf
    • https://cdn-cms.f-static.net/uploads/4370541/normal_5f88aef014880.pdf
    • https://cdn-cms.f-static.net/uploads/4420018/normal_5f9797179b5f2.pdf
    • https://cdn-cms.f-static.net/uploads/4377697/normal_5f8f61f7d1bcd.pdf
    • https://cdn-cms.f-static.net/uploads/4383327/normal_5f9a600a2213d.pdf
    • https://nugemezan.weebly.com/uploads/1/3/4/3/134359438/2b18a0bc25.pdf
    • https://cdn-cms.f-static.net/uploads/4414491/normal_5f9af059dc709.pdf
    • https://bubudatitiga.weebly.com/uploads/1/3/4/3/134308982/133a5f424115.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/10aa95b4-52aa-45e7-9a3b-a0b556074835/20601256047.pdf
    • https://uploads.strikinglycdn.com/files/0fa5a576-96cf-415a-bb72-84ebd0e02162/nazi_hunters_book.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000658a.bin
04a0e87f6a5e9392b6a48a1a700e0424c46f5833bc856e0276aa98db94b42355		 pdf-font-stream PDF embedded font (sfnt) at offset 0x658A 5500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.