Malicious PDF — malware analysis report

Static analysis result for SHA-256 4fa1a5516d1ca219…

MALICIOUS

PDF

33.6 KB Created: 2020-10-14 04:33:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3dde193b25892dc2e7348562a8648aa SHA-1: b56fdca15df9fbbeb0f528d4ef0076e0a06d8adf SHA-256: 4fa1a5516d1ca2198ce7f81e74a32e0c32e6abb907f0f9bf01d468498475db3a
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains embedded links that point to known malicious redirector infrastructure, specifically `https://cctraff.ru/strik?keyword=last+player+survival+battlegrounds+apk+download`. This suggests the document is designed to trick users into downloading potentially harmful files by impersonating a legitimate software download. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=last+player+survival+battlegrounds+apk+download
    • https://site-1038310.mozfiles.com/files/1038310/bigifijumo.pdf
    • https://site-1039573.mozfiles.com/files/1039573/97060554562.pdf
    • https://site-1038492.mozfiles.com/files/1038492/9856890443.pdf
    • https://site-1036737.mozfiles.com/files/1036737/mexijibedelarixodegezif.pdf
    • https://site-1043608.mozfiles.com/files/1043608/4394541800.pdf
    • https://guwomenod.weebly.com/uploads/1/3/0/8/130873843/tiladejonu.pdf
    • https://jatorogerujew.weebly.com/uploads/1/3/2/7/132710569/8c3f11ed.pdf
    • https://jakedekokobara.weebly.com/uploads/1/3/1/3/131381480/nipomomuka_gisotufeje.pdf
    • https://site-1038691.mozfiles.com/files/1038691/ganebovakixi.pdf
    • https://site-1040134.mozfiles.com/files/1040134/72198956389.pdf
    • https://site-1043158.mozfiles.com/files/1043158/borototoveruruvunomixa.pdf
    • https://site-1037115.mozfiles.com/files/1037115/monivezaxaxidanino.pdf
    • https://site-1037010.mozfiles.com/files/1037010/rowozowizodotaxigavamo.pdf
    • https://site-1040879.mozfiles.com/files/1040879/37902402382.pdf
    • https://site-1039349.mozfiles.com/files/1039349/26221299001.pdf
    • https://site-1036783.mozfiles.com/files/1036783/nusigepototo.pdf
    • https://site-1038378.mozfiles.com/files/1038378/tojamuma.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000645d.bin
154992eb3763abbfe6949e8f85751d94f329898d0cdab1b0797b1f26932d8e69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x645D 5528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.