Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa2295e4d3179b78…

MALICIOUS

PDF

35.6 KB Created: 2020-10-09 08:49:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 729cef3ba29642e68fae4aae4e3223db SHA-1: b64fc664c5b48c8f32379a4636fba05f01f5f481 SHA-256: fa2295e4d3179b78829117566462c2eb4ca0fc8392b72061d9d123b078d99fdb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links, one of which points to a known malicious redirector. The document body, though heavily obfuscated, contains a URL that is also flagged as malicious. This suggests the PDF is designed to redirect users to malicious infrastructure, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=flora+bacteriana+normal+de+la+piel+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f689d419-f6d7-401b-b0fa-7b765e354b06/gowaxawuxavubazakenivavi.pdf
    • https://uploads.strikinglycdn.com/files/68d20611-ef33-477b-a046-f97d5a04b6dd/garonodixi.pdf
    • https://uploads.strikinglycdn.com/files/535e08d4-b6ab-49a3-a2cb-49552956aa89/90253219960.pdf
    • https://uploads.strikinglycdn.com/files/5f8dd5fe-148e-445c-bf7a-e04045cb91e5/bikepiw.pdf
    • https://uploads.strikinglycdn.com/files/8fc2d1b0-ef1f-4a44-92ef-906a71f9d582/59375589939.pdf
    • https://cdn.shopify.com/s/files/1/0476/7557/2390/files/tunetitunokoxi.pdf
    • https://cdn.shopify.com/s/files/1/0484/5309/1489/files/skanda_guru_kavacham_in_telugu.pdf
    • https://cdn.shopify.com/s/files/1/0435/5289/9231/files/wwd_digital_daily_media_kit.pdf
    • https://cdn.shopify.com/s/files/1/0463/4139/0492/files/zolalawag.pdf
    • https://uploads.strikinglycdn.com/files/5f54a25f-81e3-4725-8f1d-45733e68bd9a/kamuzafikakasu.pdf
    • https://uploads.strikinglycdn.com/files/53575054-d750-4f0f-b600-2b5e01afad2a/nofazamivixojupax.pdf
    • https://uploads.strikinglycdn.com/files/9a49fcdf-0b7c-4a3c-ba2b-0b4909193c9b/10629384994.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063fb.bin
b0e546f1b47444620424096a21299b2f6287c9d2867d14174c2bd50dba5b08ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63FB 5216 bytes
font_01_sfnt_off00007594.bin
a7634de84f2faf2ad19dcfe80b5d764d7fadb99a56404abf23947404ecf61d3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7594 3204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.