Malicious PDF — malware analysis report

Static analysis result for SHA-256 16fb7ace22432f00…

MALICIOUS

PDF

65.0 KB Created: 2021-01-06 13:29:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c5df8324cf94d479b6b65c580472700f SHA-1: bfc0c41ddabce83c1ef1465669e6b9219c21e896 SHA-256: 16fb7ace22432f00df6031eff17735b3a8c65e463409f26e0fe53cc44e61dc7d
222 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by multiple heuristics and an ML classifier, indicating a high likelihood of malicious intent. It contains a significant number of external links, including one pointing to a known malicious redirector at 'https://cctraff.ru/aws?utm_term=barkate+ramzan+video'. The presence of a 'download button' lure further suggests a phishing or malware distribution attempt. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the overall pattern points to a malicious link farm designed to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?utm_term=barkate+ramzan+video
    • https://cdn-cms.f-static.net/uploads/4386836/normal_5f92994cc9fae.pdf
    • https://vugiwaxe.weebly.com/uploads/1/3/4/7/134739196/7529223.pdf
    • https://cdn-cms.f-static.net/uploads/4483361/normal_5fd1c46b5fe30.pdf
    • https://cdn-cms.f-static.net/uploads/4384471/normal_5f92738b9a34b.pdf
    • https://lobakazuperowe.weebly.com/uploads/1/3/4/3/134352895/1bde601450d2.pdf
    • https://cdn-cms.f-static.net/uploads/4422382/normal_5fb2b5702665b.pdf
    • https://cdn-cms.f-static.net/uploads/4421049/normal_5fa5dc1f96c2e.pdf
    • https://jawuvufos.weebly.com/uploads/1/3/4/8/134856807/9862509.pdf
    • https://cdn-cms.f-static.net/uploads/4407062/normal_5f9a05ce83df7.pdf
    • https://relotozaku.weebly.com/uploads/1/3/4/2/134266658/zitamivuxibo.pdf
    • https://rivisoni.weebly.com/uploads/1/3/0/7/130739016/vigulusudeloku.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0441a0c5-7ff7-4280-9680-a2bf6a3fa489/crossword_puzzles_online_free_new_york_times.pdf
    • https://uploads.strikinglycdn.com/files/f77f42b0-911e-47e7-bb8c-6d9543fc6c65/diablo_2_plugy_install_guide.pdf
    • https://uploads.strikinglycdn.com/files/78243fe8-1f0c-4ca8-aa3c-8b049e3cd929/33145668566.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c5ac.bin
353deab2413819cff03398057f84523fc855eabbc7077988d52c96083e56dd2d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5AC 4984 bytes
font_01_sfnt_off0000d699.bin
f4607171f3176e67c4d418245a58d199195206ec404f83f8659614331f339ad9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD699 9576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.