Malicious PDF — malware analysis report

Static analysis result for SHA-256 80bb600615ea2f88…

MALICIOUS

PDF

48.5 KB Created: 2020-11-04 15:13:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e6ac16f8658863bf38cd5e856ec6d8a0 SHA-1: ecda4b9bc47cfd0be886bfa1f0426a62130f6ec4 SHA-256: 80bb600615ea2f88140c96cf51d3e3046ff1e262cfb3f9fe6428f4f7d8abfce6
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic and the ML_NYX_PDF_MALICIOUS flag. The document body, though heavily obfuscated, contains text related to 'minecraft pc apk download mediafire' and the malicious URL, suggesting a phishing or scam attempt to trick users into visiting a compromised site. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=minecraft+pc+apk+download+mediafire
    • https://cdn-cms.f-static.net/uploads/4406482/normal_5f9b09bda138b.pdf
    • https://cdn-cms.f-static.net/uploads/4382194/normal_5f8c59b12addf.pdf
    • https://cdn-cms.f-static.net/uploads/4465012/normal_5fa265b5af257.pdf
    • https://nijubalalo.weebly.com/uploads/1/3/1/4/131453980/sejofafuw-gewovafi-kiduvap.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8b952c60-a295-472b-9061-01fe744ef4f4/16439645181.pdf
    • https://uploads.strikinglycdn.com/files/40513eaf-86d9-464f-b472-b0701111621c/76664073059.pdf
    • https://s3.amazonaws.com/kexamoxusinixu/jejiluguvorajejux.pdf
    • https://uploads.strikinglycdn.com/files/7958ed34-34dd-4530-aa13-7b702fc3d46b/wekupe.pdf
    • https://uploads.strikinglycdn.com/files/f3fef1ff-e165-4a60-9311-3682a121171d/if_you_take_a_mouse_to_school.pdf
    • https://uploads.strikinglycdn.com/files/6523d1bd-7fbc-4c92-ad8d-526fe09b2e5c/jubasofivilixugefinow.pdf
    • https://uploads.strikinglycdn.com/files/b08d3234-7997-42cb-8b65-822a091ea78f/tigififaxuji.pdf
    • https://s3.amazonaws.com/kiwopusafize/gazetka_kaufland_od_28._03.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000847c.bin
66e354b1803bc562cec478d42d9561ce4a843149b4dc3a74aac98ffa09cb7793		 pdf-font-stream PDF embedded font (sfnt) at offset 0x847C 5284 bytes
font_01_sfnt_off00009686.bin
8da2ace608c32ef0dd17583014d3dd7dd2ac3c2019f92ec21670d1446bb0a79c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9686 8872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.