Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ff63da7b88d47ef…

MALICIOUS

PDF

26.0 KB Created: 2020-11-03 12:12:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 723b458fd07bb4331ee605b91b98811c SHA-1: 83bd2f85929e06aa517a05af4fde03f8d1feb8a5 SHA-256: 2ff63da7b88d47efd7894ad5d9873a2c1a0b329f81f64c33921c24f443a8f4ca
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The embedded URL, 'https://cctraff.ru/aws?keyword=four+seasons+realty+charlotte+nc+for+rent', is the primary indicator of malicious intent. While no scripts were explicitly extracted, the PDF structure and the malicious URL suggest an attempt to lure the user to a compromised site, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=four+seasons+realty+charlotte+nc+for+rent
    • https://funiwulew.weebly.com/uploads/1/3/2/8/132814073/8259641.pdf
    • https://julapaxukej.weebly.com/uploads/1/3/4/4/134492969/5818290.pdf
    • https://xujaxivef.weebly.com/uploads/1/3/1/4/131438557/2457f6c731.pdf
    • https://cdn-cms.f-static.net/uploads/4407733/normal_5f924900a1625.pdf
    • https://cdn-cms.f-static.net/uploads/4367667/normal_5f89495a4ce14.pdf
    • https://cdn-cms.f-static.net/uploads/4367617/normal_5fa0ccdfbdf44.pdf
    • https://cdn-cms.f-static.net/uploads/4376625/normal_5f8d304c3cffc.pdf
    • https://cdn-cms.f-static.net/uploads/4367950/normal_5f8b57e9b109c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5841a0e7-ec30-441e-84e6-74ffb801f686/southport_ferry_schedule_2020.pdf
    • https://uploads.strikinglycdn.com/files/e76991fd-e76a-46ed-bc7e-a7dc1d1bdf5d/lebata.pdf
    • https://uploads.strikinglycdn.com/files/f00c0efd-0bf0-47bc-82c8-2b9d16ea2e7a/bitagurajari.pdf
    • https://uploads.strikinglycdn.com/files/87359b8a-cd61-4df9-8860-a372580100ab/zizeva.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005300.bin
6b2c6ab548d2e0dd52395544de764023ec4ff1733745dda7b3b46f01a2029c29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5300 5028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.