PDF malware analysis — malicious · 27c5216bc52856eb

MALICIOUS

PDF

42.3 KB Created: 2020-10-30 10:22:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 437845d8f82dbe723877857fbed618a0 SHA-1: 7dfcbb6851a7d7df1c1212e24df3951430b29388 SHA-256: 27c5216bc52856eb3b6baaba330504d2f2eec5704ee7e43c50d86b8fcbf0fa57

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link that is flagged as a malicious redirector, pointing to 'https://cctraff.ru/strik?keyword=fact+and+opinion+worksheets+8th+grade'. The document body, though heavily obfuscated, contains text related to 'fact and opinion worksheets 8th grade', suggesting a lure to disguise the malicious link. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cctraff.ru/strik?keyword=fact+and+opinion+worksheets+8th+grade
- https://laguvibokabab.weebly.com/uploads/1/3/4/3/134383318/serivabopego_zipikiraju_fimopu_saxafat.pdf
- https://cdn-cms.f-static.net/uploads/4366388/normal_5f8745dff2371.pdf
- https://zodovamerevi.weebly.com/uploads/1/3/4/3/134316438/nerijudoj.pdf
- https://guxitubekin.weebly.com/uploads/1/3/4/2/134267073/bc36684089b57.pdf
- https://xebikazogede.weebly.com/uploads/1/3/2/7/132740990/28fef585a7.pdf
- https://xigodawi.weebly.com/uploads/1/3/4/4/134464905/e7832d076.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/sikuva/dadusexirivimupipo.pdf
- https://uploads.strikinglycdn.com/files/09c20c48-d2ae-4054-ad66-094c5f5f8ca6/zusesorizewidiz.pdf
- https://uploads.strikinglycdn.com/files/bea24df8-6862-455d-8b33-9cf6761bc521/61823751327.pdf
- https://s3.amazonaws.com/sezutuma/thief_stone_skyrim_location.pdf
- https://uploads.strikinglycdn.com/files/73b6d1a1-6c4b-4869-bb8d-080e2d9cf110/83290711791.pdf
- https://uploads.strikinglycdn.com/files/75da1a99-9faf-4c5c-b247-00103bf1796e/xobesawovisal.pdf
- https://uploads.strikinglycdn.com/files/2d2eeda0-e860-41d6-90c5-9909310b53fa/96788046397.pdf
- https://uploads.strikinglycdn.com/files/c4ab134a-7c92-4ef3-a3d3-8dcf66a12572/48207622278.pdf
- https://s3.amazonaws.com/levovod/nalagujimabodu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064dd.bin` `dc9458872c60e0dce3cffdd4ccef4f580d3a903e25298d2024252fdd94cf53ce`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64DD	5608 bytes
`font_01_sfnt_off00007804.bin` `9ac67d628afa0a81b476799244b2d4bd643e2fcbba4352c4ce531506571a535c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7804	10484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.