Malicious PDF — malware analysis report

Static analysis result for SHA-256 2aadffa3097dbd4f…

MALICIOUS

PDF

40.6 KB Created: 2020-11-06 04:47:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3e084f416f0f08a4b4c9654fdea248c7 SHA-1: 16a67b323841a46418093871a29d00f4d51ebb4d SHA-256: 2aadffa3097dbd4fd4257d38a122714a759e2f621b9aa8a862ed59a9203e0554
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a malicious link that redirects to a URL designed to trick users into downloading a Facebook Lite APK. The document body and embedded link text explicitly mention downloading Facebook Lite for Windows, indicating a social engineering lure. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/123?keyword=download+facebook+lite+apk+windows
    • https://cdn-cms.f-static.net/uploads/4381531/normal_5f8fc4283bffa.pdf
    • https://cdn-cms.f-static.net/uploads/4365549/normal_5fa39983dab96.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/90d7a358-e43b-40be-b534-aa7aee41fa93/monazifinufekidufese.pdf
    • https://s3.amazonaws.com/kudufigunabi/xojorufamemavadosilifidad.pdf
    • https://uploads.strikinglycdn.com/files/20322810-d52d-43a2-aafa-0d777e16a9be/64025889195.pdf
    • https://s3.amazonaws.com/pujirageg/nivivulabumidikibap.pdf
    • https://s3.amazonaws.com/lodazojamuva/jojegid.pdf
    • https://s3.amazonaws.com/rimepusox/gloomhaven_rulebook_download.pdf
    • https://uploads.strikinglycdn.com/files/1d571ed9-7314-4297-8105-9762395a2abe/topikepufisejeloladakidux.pdf
    • https://uploads.strikinglycdn.com/files/10954839-8670-4f27-bb4f-bd605bbc304b/9_crimes_chords.pdf
    • https://s3.amazonaws.com/vopadofugon/umass_boston_ladc_program.pdf
    • https://uploads.strikinglycdn.com/files/14883779-c857-4b69-b48c-5a27d6a908f6/jilategomawujavomuji.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006120.bin
5b296383e7690b00b5ad8fb76997ace11ccacaf6b3a04c78a9ea97f24458c9b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6120 5348 bytes
font_01_sfnt_off00007382.bin
2daffa44abd4979f51736cacda5eb9d267be06b9453cde4c2264f65e18693969		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7382 10172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.