Malicious PDF — malware analysis report

Static analysis result for SHA-256 5fa94b78f583290a…

MALICIOUS

PDF

48.8 KB Created: 2020-10-27 01:04:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: e00a22d3588f218f443cf3dc762f9ed9 SHA-1: fc5297c13acbdcd16dcf7bb96bb840ae2f505fba SHA-256: 5fa94b78f583290a4927fc79fbfb7bcfa33173b8c5d50e4d3f4fe875125d3c74
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a large number of embedded links, many of which point to external PDF files hosted on various domains. One of the primary links, 'https://cctraff.ru/123?keyword=sonic+adventure+2+randomizer+rom', is identified as a malicious redirector. The document's structure and the presence of numerous links suggest an attempt to direct users to malicious infrastructure, likely for further exploitation or phishing. No scripts were extracted, and the document body is heavily obfuscated.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/123?keyword=sonic+adventure+2+randomizer+rom In PDF document text
    • https://cdn-cms.f-static.net/uploads/4380229/normal_5f95decbbc315.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4402247/normal_5f92afaf23bc0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379498/normal_5f8fec8e24330.pdfIn PDF document text
    • https://wurikosaradusif.weebly.com/uploads/1/3/1/3/131384544/6245023.pdfIn PDF document text
    • https://babikovinemixe.weebly.com/uploads/1/3/1/8/131856339/fapolurefo-dubofibojarotof-kezefenobudijix.pdfIn PDF document text
    • https://lodirunesu.weebly.com/uploads/1/3/0/8/130874391/fisit.pdfIn PDF document text
    • https://gusumadanu.weebly.com/uploads/1/3/2/6/132695601/pasex.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365539/normal_5f870c599d8fa.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4391624/normal_5f8e7a7b7a6a8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374207/normal_5f8d6e8db85ef.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374840/normal_5f9082374fc54.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377095/normal_5f8d7e9f96925.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367920/normal_5f88a87c9021e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376625/normal_5f953bc41eb7f.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/2e6a0cb2-b412-40bf-a5d4-fe5c55c0fdc5/bafujo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ff90321b-8a37-4540-adc2-da56f9278797/2128129376.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069f7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x69F7 5220 bytes
SHA-256: e246440065b72e356b363d1ee39423878d88c37b6306cf2c3b945daeea5d9170
font_01_sfnt_off00007ba3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7BA3 10716 bytes
SHA-256: 841fa407c4e1b3d6fd74319784fbaf3770ddde5b85e3cede025893bd6763ef7e
font_02_sfnt_off0000a057.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA057 16332 bytes
SHA-256: 91c92fab729f552433758475f1ecf6a366c66c74ae6b4dd9e31a9a0100f2b42c

Open this report in the interactive analyzer, or submit your own file for analysis.