Malicious PDF — malware analysis report

Static analysis result for SHA-256 80ffe89cb1e4aadf…

MALICIOUS

PDF

44.8 KB Created: 2020-10-25 21:31:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: fa6d4df9f8b5b69ea4fc656c8818f8c4 SHA-1: 19622509a1d3657d5a7aee225ae908afbc16abd4 SHA-256: 80ffe89cb1e4aadffa734a1f1bf8044e35efd62686e30220ddaeaaf07bf2e708
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links, one of which, https://cctraff.ru/123?keyword=flu+shot+2020+pdf, is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to this URL and other benign-looking PDF links, suggesting a phishing or redirection attempt. The presence of numerous external PDF links also indicates a link farm, likely for SEO poisoning or to obscure the malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/123?keyword=flu+shot+2020+pdf In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/1e7d671d-c122-415e-9934-03500df12a3b/nosiwajaborekavixidupumej.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cf4b6d36-1524-49c7-93c6-90afb401453b/weras.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e4b90efb-818e-4aa2-855d-daf531def75b/pexifogeraxenalun.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/7152/7319/files/harvest_moon_back_to_nature_apk_ppsspp.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d89660ba-0339-4caa-94c6-26d2ec2367c0/juvanakomopunija.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f4cd4f32-e2f8-4f96-847a-60b54a46feea/jogos_de_matematica_4_ano_multiplica.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c249f4ac-2888-4eb6-9f51-82ed1d665fa1/51773542107.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ffaacefb-19bd-4c46-bc62-2462a760982e/xigebibixeg.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3c5cfb6f-1707-46c9-83eb-dc8ade3eecf3/49304875306.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/78ed748f-2958-4d4d-b071-27e0a7e2cd72/97396621989.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/49671580-754a-4320-b134-2fa797b955e5/52347168241.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/6535/2093/files/leeds_map_print.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/0888/7454/files/emoji_converter_iphone_to_android.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/0389/6217/files/sims_freeplay_hack_offline_apk.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0440/5955/8053/files/86812045823.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0493/6715/4847/files/89570562298.pdfIn PDF document text
    • https://s3.amazonaws.com/zidenigad/festival_avignon_off_2019.pdfIn PDF document text
    • https://s3.amazonaws.com/kopisigapub/22968733821.pdfIn PDF document text
    • https://s3.amazonaws.com/biwuwukesazef/669084487.pdfIn PDF document text
    • https://s3.amazonaws.com/kavitokolezub/canzone_di_bacco_e_arianna.pdfIn PDF document text
    • https://s3.amazonaws.com/tudawufed/22633454500.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007141.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7141 5052 bytes
SHA-256: 361ada3e56e37bdb34b02db53cdf9c159bcf5f00ecd92cc0daa8f2de8cf9322f
font_01_sfnt_off00008279.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8279 10376 bytes
SHA-256: ba97a2b79fc9855c1584bd4d387b5e512afc1f5675df43039c96aa58dd61483f

Open this report in the interactive analyzer, or submit your own file for analysis.