Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c2e32dc41308c20…

MALICIOUS

PDF

34.1 KB Created: 2020-09-29 10:02:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00322283681a07becc0e9eec70e53172 SHA-1: 22f8004cfd5136e844f53f6971d4275c5b94c300 SHA-256: 5c2e32dc41308c20a77685514f36f00405918d6fb5bf38870342fcdfd4b5dded
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to known malicious redirector infrastructure, indicating an attempt to lure users to a harmful site. The ML classifier also strongly flagged this PDF as malicious. The embedded URLs suggest a phishing or malware distribution campaign, likely initiated via spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/mozel?keyword=understanding+and+using+english+grammar+4th+edition+test+bank+pdf
    • https://site-1036920.mozfiles.com/files/1036920/72581408185.pdf
    • https://site-1036640.mozfiles.com/files/1036640/55714313897.pdf
    • https://site-1036678.mozfiles.com/files/1036678/49738493140.pdf
    • https://site-1036746.mozfiles.com/files/1036746/rumodizoze.pdf
    • https://site-1037241.mozfiles.com/files/1037241/fegaroti.pdf
    • https://site-1036840.mozfiles.com/files/1036840/kikolapubogonedupupunu.pdf
    • https://site-1037079.mozfiles.com/files/1037079/pemokuzaxalos.pdf
    • https://site-1036722.mozfiles.com/files/1036722/96206915006.pdf
    • https://site-1037268.mozfiles.com/files/1037268/zojulofuzuko.pdf
    • https://site-1037094.mozfiles.com/files/1037094/tabovepeworasunatefezuri.pdf
    • https://site-1036945.mozfiles.com/files/1036945/leririjunonokove.pdf
    • https://site-1036835.mozfiles.com/files/1036835/97524046577.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000460b.bin
290c5a516adf1c4214fa85b0b07ca4d93b7a5aa9e500f2475c3dd72b8bd0e090		 pdf-font-stream PDF embedded font (sfnt) at offset 0x460B 5736 bytes
font_01_sfnt_off00005962.bin
c492f70ff6853b79cad94baac426763ce0b9aa71c184172384586c2cdf32323d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5962 10100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.