Malicious PDF — malware analysis report

Static analysis result for SHA-256 86aa266d5480cf9c…

MALICIOUS

PDF

41.7 KB Created: 2020-10-27 18:42:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dcae9d7baa967b12e44233ee8844ec10 SHA-1: 13e725a935c0a4863047e03c9937842f4e63b915 SHA-256: 86aa266d5480cf9ce8a0303a90f53f6a1eb92cb1d0944262d054a332b2d6172a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, with critical heuristics identifying it as a redirector and a link farm. The primary URL, https://cctraff.ru/strik?keyword=what+is+rap+duty+in+the+navy, is flagged as a known malicious redirector. The document body, though heavily obfuscated, also contains this URL and other links pointing to Weebly-hosted PDFs, suggesting a coordinated effort to drive traffic to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=what+is+rap+duty+in+the+navy
    • https://goneludolazoga.weebly.com/uploads/1/3/4/4/134488647/xubunajam-sokapidu-sozumibol-dolopevi.pdf
    • https://zesopupejilit.weebly.com/uploads/1/3/0/7/130738861/nevajizupitujox-gadule-betanut.pdf
    • https://finiluxexolije.weebly.com/uploads/1/3/1/8/131856594/9da2ce.pdf
    • https://gomemetunugup.weebly.com/uploads/1/3/2/7/132712315/wabolu.pdf
    • https://cdn-cms.f-static.net/uploads/4408851/normal_5f937b2dd82a8.pdf
    • https://cdn-cms.f-static.net/uploads/4412890/normal_5f9754b9520f5.pdf
    • https://cdn-cms.f-static.net/uploads/4366989/normal_5f8db0f60e95a.pdf
    • https://cdn-cms.f-static.net/uploads/4408712/normal_5f93948796e25.pdf
    • https://cdn-cms.f-static.net/uploads/4368782/normal_5f8bcc98b1a78.pdf
    • https://cdn-cms.f-static.net/uploads/4369179/normal_5f89d41805b2f.pdf
    • https://cdn-cms.f-static.net/uploads/4387218/normal_5f913484dd1d9.pdf
    • https://cdn-cms.f-static.net/uploads/4383475/normal_5f96b7ae450f8.pdf
    • https://cdn-cms.f-static.net/uploads/4383918/normal_5f95a8a88f7d3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/945c5b36-8754-41fa-9224-cc22873b8a7a/jakubiwojibitodupig.pdf
    • https://uploads.strikinglycdn.com/files/7ba9ba57-39cc-468e-ba02-2b5fd3ec72e3/86299807219.pdf
    • https://uploads.strikinglycdn.com/files/4b97d336-0811-4141-9f69-117e2b8ef861/xigesalufapogarigabugifi.pdf
    • https://uploads.strikinglycdn.com/files/e57619e9-94ff-4606-b6e5-3dcdfdced1d2/rudajepa.pdf
    • https://uploads.strikinglycdn.com/files/d0c0c104-ea7c-4eab-9d79-7e09540ce36f/67446006699.pdf
    • https://uploads.strikinglycdn.com/files/1d50e274-6837-4548-af4f-b92822424a73/gewowoseteronagixi.pdf
    • https://uploads.strikinglycdn.com/files/eed1f8c7-91e4-4474-813c-8b4b6dcae5f6/91989403231.pdf
    • https://uploads.strikinglycdn.com/files/89a3f277-da6b-4ed8-a5fa-7298c52fb148/sulobexunakapamowifajoze.pdf
    • https://s3.amazonaws.com/leguvefu/tuxesabex.pdf
    • https://s3.amazonaws.com/jamokaroxoj/variedades_de_cafe_en_colombia.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006494.bin
7276768758a27b6a1adbe09966751b1d2a11e32a2e8a83f289b6fd1ec44c1e98		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6494 5192 bytes
font_01_sfnt_off00007647.bin
c21ef8a83853e7ed9daa8f7bd22e00bcb481a28fcab06cdd96bfef33ab335c81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7647 10284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.