Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c99852fa149c974…

MALICIOUS

PDF

64.5 KB Created: 2020-10-27 05:30:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b1ca870aacb63eb11d45a29eca7418d6 SHA-1: d693004461ef85c4edac35021e651eaa9024953e SHA-256: 6c99852fa149c974927279ad8e01c9aad321de03004261b26f1cabb1dd6c492c
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, indicating an attempt to lure the user to a harmful site. The ML classifier also strongly flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of embedded URLs and the redirector heuristic suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=chef+giada+de+laurentiis+height
    • https://cdn-cms.f-static.net/uploads/4407998/normal_5f9751a358504.pdf
    • https://cdn-cms.f-static.net/uploads/4366660/normal_5f8754bd67378.pdf
    • https://cdn-cms.f-static.net/uploads/4379960/normal_5f90e696861c4.pdf
    • https://cdn-cms.f-static.net/uploads/4416940/normal_5f95cadbdea22.pdf
    • https://cdn-cms.f-static.net/uploads/4365607/normal_5f8720f217031.pdf
    • https://cdn-cms.f-static.net/uploads/4368477/normal_5f885ccbdbf7a.pdf
    • https://tenabawik.weebly.com/uploads/1/3/2/7/132710661/2527536.pdf
    • https://wegogitizunivom.weebly.com/uploads/1/3/4/3/134369171/8598e68833f.pdf
    • https://mupibidegupek.weebly.com/uploads/1/3/0/8/130874042/9025451.pdf
    • https://terurudib.weebly.com/uploads/1/3/4/3/134381327/f4de270280c385c.pdf
    • https://kamijiruwidezi.weebly.com/uploads/1/3/4/3/134387945/fopewovu.pdf
    • https://ronesafoko.weebly.com/uploads/1/3/4/3/134312324/vosetonesasajuv.pdf
    • https://lesofetu.weebly.com/uploads/1/3/1/3/131378838/zimojonax.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/6e86ea19-05b3-4d97-88b1-24739706762c/lenuwotaviroxibad.pdf
    • https://uploads.strikinglycdn.com/files/9e4dbd9b-8466-4c3b-812a-6d186f52d2e0/xinapimetutafupakonijob.pdf
    • https://uploads.strikinglycdn.com/files/cd8a30bc-37a1-4b89-9009-938b23009976/bemedimilefirekamiw.pdf
    • https://uploads.strikinglycdn.com/files/4102b696-835a-4b26-84f3-dfee7b79e7e8/zoxeweraluxejetubumomi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000b8c4.bin
4fa8e68e196fafffa30c5ec914c414acee5f276d8d4d1416d154e8733d5198af		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB8C4 25608 bytes
font_00_sfnt_off000081b0.bin
a3c0febee3816c48530ecf1f9851d1f724db070eeb3f4ad1d0b015a50a5acb8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81B0 4964 bytes
font_01_sfnt_off00009288.bin
1eac8e45372d839100aa2a98b460404f11c7e852dba829245aeafdf95daacef8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9288 11060 bytes
font_03_sfnt_off0000e64f.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE64F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.