Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4c6792520c2706c…

MALICIOUS

PDF

76.3 KB Created: 2020-11-24 07:47:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-14
MD5: 921174fcb3a9d717e615dcdcfcb81259 SHA-1: b2be3f58b95c562466ee9983b7d758b044318b5b SHA-256: e4c6792520c2706c8f1638bd12041e52c0c0416e3b8026014cf4b4eccc6f421c
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a malicious redirector link pointing to 'traffking.ru'. The document body, though heavily obfuscated, appears to be a lure related to a movie title, which is a common tactic for phishing or malware delivery. No scripts were extracted, but the presence of a malicious URL strongly suggests an attempt to lead the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9086

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/strik?utm_term=a+murderer%2527s+guide+to+memorization+eng+sub In PDF document text
    • https://cdn-cms.f-static.net/uploads/4377912/normal_5f8c3aa2bc533.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/5ea03f0d-fbe0-4d4d-8d58-ab8489c1a319/tivesisogo.pdfIn PDF document text
    • https://s3.amazonaws.com/xumakomowi/vubewekotuwidezanakivonez.pdfIn PDF document text
    • https://s3.amazonaws.com/xafuluxel/48997110088.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/45076460-f955-4e90-bb03-c98d1676fa18/age_of_empires_definitive_edition_so.pdfIn PDF document text
    • https://s3.amazonaws.com/mesotodimus/bissell_pet_revolution_carpet_cleaner_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6b44cbe7-6197-45b4-b0c6-d4f234c7ed84/wofuwojexitajimagiw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/29c10218-78a2-43dd-b880-93ee2a62f4b5/lejalikebirosazupafoz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a7966922-5192-477f-8442-7787e378c86b/k_of_c_post_3991.pdfIn PDF document text
    • https://s3.amazonaws.com/suxiweke/zigenedizekifemuwavof.pdfIn PDF document text
    • https://s3.amazonaws.com/sefipa/9886103770.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9edb59be-973e-4525-ab4f-84a1d378a253/jasoxilomujuravivutuvez.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e28e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE28E 8628 bytes
SHA-256: 270ff5c7485af167ce1cdb360f6ecfc6e2eac0720488aa545eaf32cc459297ed
font_01_sfnt_off0000fe06.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE06 5208 bytes
SHA-256: ad0f796617568a0e0413e6cb311b5967447be889c851cc6dc9ad7f90ba5ead70

Open this report in the interactive analyzer, or submit your own file for analysis.