Malicious PDF — malware analysis report

Static analysis result for SHA-256 f78e505e250ff137…

MALICIOUS

PDF

34.7 KB Created: 2020-10-31 19:46:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 1321aa5d0b115a31c4fcb12a2de3a070 SHA-1: 8d8cd0b8878ccab84e2f696b284232ab832fdaa4 SHA-256: f78e505e250ff1377c1748b7a5c2991f9fced776aa5de911d18764d6c12faa61
92 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating it links to a known malicious redirector. The embedded URL, 'https://ggtraff.ru/aws?keyword=the+office+season+2+episode+9', is the primary indicator of malicious intent. While no scripts were extracted, the PDF structure and the malicious URL strongly suggest a phishing or malware delivery attempt, likely initiated via a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/aws?keyword=the+office+season+2+episode+9 In PDF document text
    • https://cdn-cms.f-static.net/uploads/4390057/normal_5f9b1ac4abe77.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368467/normal_5f8e98c5193f8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4402507/normal_5f9229b519843.pdfIn PDF document text
    • https://polabufasol.weebly.com/uploads/1/3/2/8/132814050/3c542cb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378171/normal_5f8b430edeebb.pdfIn PDF document text
    • https://ranemexamegen.weebly.com/uploads/1/3/4/4/134440137/9cea17175a.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c1c6e62-e793-4e21-a537-3983460c2ad3/80720667384.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7ba776e7-c773-45c9-bd0a-e79d56067863/minecraft_redeem_codes_java.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0268/6998/9559/files/pirik.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a5243c6-da1e-4096-a491-a2be82f5618b/chinese_martial_arts_pressure_points.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/3491/0113/files/pejexobavesifo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/465d510e-c663-4777-a3f1-228b4bf2e5e6/farajazosunoxo.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006102.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6102 5352 bytes
SHA-256: dcb0f3b46239563c2501b4c2d40de635cd90ccc451952ba983a0ee3c1e48b411

Open this report in the interactive analyzer, or submit your own file for analysis.