Malicious PDF — malware analysis report

Static analysis result for SHA-256 9568b284d2ef6ee9…

MALICIOUS

PDF

55.1 KB Created: 2020-10-16 08:29:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: ba783aedd8b8440bf9d27d6cc483d95d SHA-1: 8919894d9006c320ea6230ecd36f59b53da6aa6c SHA-256: 9568b284d2ef6ee902bb985c52dc279bdb539c55925d24244a72e2fad24bf89a
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link to a known malicious redirector, cctraff.ru, which is likely intended to lead the user to a phishing or malware download site. The document body, though heavily obfuscated, contains the URL, suggesting a social engineering lure related to a 'study guide'. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=ccie+sp+written+study+guide In PDF document text
    • https://cdn-cms.f-static.net/uploads/4366993/normal_5f8839053e43a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373297/normal_5f89283167149.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366645/normal_5f8720481a1a2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366305/normal_5f8764aeebe40.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366961/normal_5f88f9bd7bd13.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366381/normal_5f874344d2304.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365657/normal_5f87cef85bb90.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368985/normal_5f892e5a1f0c2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368469/normal_5f87a952e56b4.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/5cea90e9-bb8b-4f5f-a57a-3c8718f1bd3f/suvikolonolivifudegow.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8e238bd8-3b95-4f57-8c19-2fa0e94d5914/41748526854.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/15856735-e6f0-4f41-8134-27b94e15fb84/kavomufafa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/71f883d6-6604-4cf5-8aca-ce77e5c7b1a7/savefegojo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3ddadb07-6317-4866-ab4e-f545c0e50f6e/22517754815.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a3ecfb6-1a29-45ee-b5eb-69f46e6139df/41924722377.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ea6c8ae4-1b51-471e-b2df-5339133204c3/mobituva.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/27f4e9d3-ef42-42d7-943c-720b9bf8eda7/95841936924.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/02b6983e-1bf7-4411-9b5f-3cbb2c06819b/29648758055.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/75278e08-cc2c-402a-ba93-3322138280ba/45739137591.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2ebac17f-4963-41c1-85e2-1129ce791336/21996045450.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/603a036c-8e44-4625-8c06-1db3b7c35f80/saroluwusofumetelidenarul.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008f08.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8F08 5096 bytes
SHA-256: 015f5a9df9eaeb90891371e608244aadaa61522cc4ccc437cee39fd06cd2edfa
font_01_sfnt_off0000a083.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA083 14828 bytes
SHA-256: fe05e2cf77ae55c37ca78dc6908465af70f416a2c5be7c8d240963dbf4436156

Open this report in the interactive analyzer, or submit your own file for analysis.