Malicious PDF — malware analysis report

Static analysis result for SHA-256 19cc9b46283cd7b2…

MALICIOUS

PDF

43.9 KB Created: 2020-10-25 08:02:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: c1bb9e0e310161ed9ce57fabc33115e9 SHA-1: 96713f039baadee52f75be40e00288bb77fca477 SHA-256: 19cc9b46283cd7b2a01fc96f042e7b8a3c50c877cdd02f7b87b5ad71d3ccd0b0
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded links, many of which point to disposable hosting and appear to be part of a link farm designed to manipulate search engine results. One critical heuristic identified a link to known malicious redirector infrastructure at `https://cctraff.ru/strik?keyword=blue+dragon+guide+heroes+guild`. The ML classifier also strongly indicated maliciousness. The primary attack pattern involves luring users to malicious sites via these links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=blue+dragon+guide+heroes+guild In PDF document text
    • https://cdn-cms.f-static.net/uploads/4366024/normal_5f88fc7cc6b90.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366365/normal_5f904787337e0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388612/normal_5f8d52af67383.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368501/normal_5f8ea2495331d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374002/normal_5f909d1789d7b.pdfIn PDF document text
    • https://penulikadima.weebly.com/uploads/1/3/1/4/131482887/suwumadevurigi.pdfIn PDF document text
    • https://vunatoja.weebly.com/uploads/1/3/0/7/130738644/teruk.pdfIn PDF document text
    • https://penepanixefi.weebly.com/uploads/1/3/4/3/134354239/modivomini_potop_jezojukusibive_ginileluti.pdfIn PDF document text
    • https://mivoxoxez.weebly.com/uploads/1/3/4/3/134340481/5172691.pdfIn PDF document text
    • https://dubuzosokiboxof.weebly.com/uploads/1/3/1/1/131163723/9165264.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375095/normal_5f8c5a969693f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368953/normal_5f8874a50e100.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380680/normal_5f8f5ba5bed2c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375357/normal_5f8ad43e72d41.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380680/normal_5f8f78f1a60cc.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/0a0f08ce-7a56-4aae-a527-0681b5254e08/dubadeledap.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/06a1592f-c466-4f35-bb11-eb86191fde04/cast_iron_cookbook.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/acb97511-c317-4cdf-96cf-d86460ed3bdd/zisasatixe.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/8851/8562/files/17775025068.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/8472/9506/files/71823461703.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ce9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6CE9 5136 bytes
SHA-256: 6fd5f0174340d41f6a1faa29f28d3de197a9d1460bfb15834bd757c3d430e0ea
font_01_sfnt_off00007e54.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7E54 10552 bytes
SHA-256: fadcd39f31f9587611949bbd8a2e18eebc12bbd9406ac51264da792a03d2f99b