Malicious PDF — malware analysis report

Static analysis result for SHA-256 83fba22305afe3b6…

MALICIOUS

PDF

44.7 KB Created: 2020-10-27 20:56:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c722bc37542ecbec9c9ac89700f78f7 SHA-1: 4eb63ef4214ef872d3b928c79f1f600fc157950d SHA-256: 83fba22305afe3b6a0efc2967f4c4d593327b452decff6d77813182ceda56d1e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to a redirector infrastructure. The primary malicious URL identified is cctraff.ru, which is flagged as a malicious redirector. The document body, though heavily obfuscated, contains this URL and references to other PDFs hosted on strikinglycdn.com, suggesting a link farm or redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=native+american+hallmarks
    • https://gawubodukajine.weebly.com/uploads/1/3/0/9/130969599/5840779.pdf
    • https://jawasolasazilem.weebly.com/uploads/1/3/1/3/131379174/gevoderovepiru.pdf
    • https://cdn-cms.f-static.net/uploads/4365656/normal_5f870a7c1b3db.pdf
    • https://cdn-cms.f-static.net/uploads/4370286/normal_5f9009cfcb400.pdf
    • https://cdn-cms.f-static.net/uploads/4421627/normal_5f9815d2ee277.pdf
    • https://cdn-cms.f-static.net/uploads/4404124/normal_5f986708418a1.pdf
    • https://cdn-cms.f-static.net/uploads/4366055/normal_5f8fa1f4c1404.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9e202c04-d33e-404a-b100-e58d15ea29de/60728883138.pdf
    • https://uploads.strikinglycdn.com/files/da288e40-1f58-4d58-b728-af3426878e99/vupevivajusazofaf.pdf
    • https://uploads.strikinglycdn.com/files/fc62f58d-f39e-441d-a74d-3c5ca222277b/volusewiwaladakej.pdf
    • https://uploads.strikinglycdn.com/files/79dce49d-d9e1-4097-b953-8327a0135647/21841381798.pdf
    • https://uploads.strikinglycdn.com/files/b28d560f-9937-4d7c-9bda-565c9e37716b/sobejep.pdf
    • https://uploads.strikinglycdn.com/files/9b015435-b8a5-48aa-b6f5-f678b8b05238/9836936122.pdf
    • https://uploads.strikinglycdn.com/files/b11af3b5-190e-44b9-b35e-34b3a5e2196a/articulation_and_phonological_disorders_bernthal.pdf
    • https://uploads.strikinglycdn.com/files/24319326-b966-481f-bd95-3bbf4c82a078/gipaw.pdf
    • https://uploads.strikinglycdn.com/files/d10a1ea2-9029-4a40-a237-ad8546b6f9db/91227136180.pdf
    • https://uploads.strikinglycdn.com/files/b73baf75-35e1-429c-914e-b9b2f5c9830d/77172015436.pdf
    • https://uploads.strikinglycdn.com/files/f5191b68-ca67-4c12-83e8-9fee7c0ca2da/wutadonurutidevuvogu.pdf
    • https://uploads.strikinglycdn.com/files/e1bfdfd9-103f-427a-852d-25877d7ceacc/21063026996.pdf
    • https://uploads.strikinglycdn.com/files/c622af3c-47cd-4d51-9f3e-65abaa67746a/apk_clash_of_lights_mod.pdf
    • https://uploads.strikinglycdn.com/files/32d480f9-39c2-4f73-bbab-57084f5aa620/63745445911.pdf
    • https://uploads.strikinglycdn.com/files/24a23e3a-dac5-4e0d-9da9-2f641696daaf/64248223719.pdf
    • https://uploads.strikinglycdn.com/files/0730d3ac-57d8-4fa6-9277-4b28796bfbb2/rasululuxuf.pdf
    • https://uploads.strikinglycdn.com/files/f907eb69-30cc-4c7a-aeed-445f05a14ef5/gokado.pdf
    • https://uploads.strikinglycdn.com/files/d8ce8bfd-e3b5-421f-aecb-4f95c8bc690b/3740186670.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007147.bin
c2f36b68fe664c2d484a63a98200b900f3eedeb579ba837305743c5a61a1335d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7147 5132 bytes
font_01_sfnt_off00008292.bin
3ba213871519915ca97f94491aabbe0e6b800d450985b55315f4ee1584befe31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8292 10208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.