Malicious PDF — malware analysis report

Static analysis result for SHA-256 023d751b31883319…

MALICIOUS

PDF

60.5 KB Created: 2020-11-06 19:06:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7c8e8d12672307c33db14c27bd2a679c SHA-1: e4b9cd0b12f536a6bbd20659d0775debafcd8011 SHA-256: 023d751b318833193b9643514cd294dfdec1b06d2d3f6d0fc31fa7a14505af29
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://cctraff.ru/aws?keyword=chemistry+stoichiometry+study+guide+answers'. The ML classifier also strongly flagged this PDF as malicious. While no scripts were explicitly extracted, the PDF structure indicates embedded links that are likely intended to lead the user to malicious infrastructure, disguised as a study guide.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=chemistry+stoichiometry+study+guide+answers
    • https://cdn-cms.f-static.net/uploads/4411681/normal_5f9d028e00666.pdf
    • https://cdn-cms.f-static.net/uploads/4370285/normal_5f9133f383d53.pdf
    • https://cdn-cms.f-static.net/uploads/4391623/normal_5f9e5bb033091.pdf
    • https://cdn-cms.f-static.net/uploads/4368956/normal_5f99c53b860c7.pdf
    • https://cdn-cms.f-static.net/uploads/4383295/normal_5fa21a3d1b803.pdf
    • https://fobewesepujub.weebly.com/uploads/1/3/2/3/132303403/wimebapena_vokiwil_pugokumejevum_zipitifizorib.pdf
    • https://cdn-cms.f-static.net/uploads/4366011/normal_5f8a35ad6b523.pdf
    • https://puwukozo.weebly.com/uploads/1/3/4/5/134587621/zukap.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tosasugokod/sejokebusonidabed.pdf
    • https://s3.amazonaws.com/vufuzewasi/jacksmith_unblocked_games.pdf
    • https://s3.amazonaws.com/jinabom/89947019612.pdf
    • https://uploads.strikinglycdn.com/files/a488d895-1ab8-4c5c-af00-33aef35b1dce/podimepelevawapatinamaneg.pdf
    • https://s3.amazonaws.com/pibajuwi/batching_plant_manual.pdf
    • https://s3.amazonaws.com/sifawekujiki/45532115909.pdf
    • https://s3.amazonaws.com/zupenafud/ielts_speaking_vocabulary_download.pdf
    • https://s3.amazonaws.com/fenatagazise/95220428975.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000654b.bin
e637e929042e3978bec96b31b3490ba660419ed310d31d627162007a830036f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x654B 6424 bytes
font_01_sfnt_off0000752c.bin
999354eb964b23b32610311056907c011c6aba8fa039249d39e5891215a9d999		 pdf-font-stream PDF embedded font (sfnt) at offset 0x752C 5420 bytes
font_02_sfnt_off00008776.bin
8ebe736d342bc0ff3a6969582ab7cffd2815e705450e9c7f3c561e1e60bd767a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8776 7012 bytes
font_03_sfnt_off00009f8e.bin
aecb16365dbc2e16436dd707faacd21d3d40b21a401fceef9b3564d167f31097		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F8E 10508 bytes
font_04_sfnt_off0000c3c8.bin
33aebea31f396b93f26f6813f3fb276f814889ea6b130336ef58d1323d2ea3c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC3C8 16612 bytes
font_05_sfnt_off0000d9c1.bin
1648accd5638f26481c437d0e436fdfb03edab78dab75f4e73239278c8cddc19		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9C1 1736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.