PDF malware analysis — malicious · 26011cd6078041c3

MALICIOUS

PDF

53.5 KB Created: 2020-10-30 01:18:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b77fb0dea892691e270375a57245ef7b SHA-1: 92cafce4e68b6e09e7087520ba8e7afa5cbdfc50 SHA-256: 26011cd6078041c357ad595a4e4f46d81901e61c971362f3fcc71d337840d311

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The embedded URL, https://cctraff.ru/strik?keyword=burrell+high+school+class+of+1969, is the primary indicator of malicious intent. While no scripts were explicitly extracted, the PDF structure and the malicious URL suggest an attempt to lure the user to a compromised site, likely for phishing or further malware delivery.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cctraff.ru/strik?keyword=burrell+high+school+class+of+1969
- https://cdn-cms.f-static.net/uploads/4368503/normal_5f8965fb40be3.pdf
- https://cdn-cms.f-static.net/uploads/4404313/normal_5f9676759493d.pdf
- https://cdn-cms.f-static.net/uploads/4369763/normal_5f896a491ab6c.pdf
- https://cdn-cms.f-static.net/uploads/4380691/normal_5f98a045373bd.pdf
- https://cdn-cms.f-static.net/uploads/4370285/normal_5f8b45cea6d27.pdf
- https://cdn-cms.f-static.net/uploads/4384155/normal_5f9919e4729d0.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/6c203c8d-6077-4201-9ffa-ce511212251c/18455996199.pdf
- https://uploads.strikinglycdn.com/files/3f24b9f9-5f51-44e4-8138-e0938af53bb3/15370416010.pdf
- https://uploads.strikinglycdn.com/files/9550aaec-c8ce-4f8b-b793-efa2ad17f578/xakixukubikiw.pdf
- https://uploads.strikinglycdn.com/files/f4a09b8f-5683-4bb5-8004-45015b5478b5/cobweb_antenna_plans.pdf
- https://s3.amazonaws.com/henghuili-files2/20905285339.pdf
- https://uploads.strikinglycdn.com/files/b93c92e3-5087-4729-9d32-a726b02d29e4/lords_supper_verses.pdf
- https://uploads.strikinglycdn.com/files/33d460ac-2e08-465c-a154-3f5948b9162d/good_words_that_start_with_h_to_describe_someone_in_a_good_way.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008c6e.bin` `02a54acd0246f94802cf6b55dbc5993151fab57534c879126690baf61cf960af`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8C6E	5552 bytes
`font_01_sfnt_off00009f54.bin` `0dab14fdcdddf29a6f04d60fbfa67e98d77091315b477b82201cf17ef8b5c094`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9F54	11856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.