Malicious PDF — malware analysis report

Static analysis result for SHA-256 97c66fc81e831e75…

MALICIOUS

PDF

69.9 KB Created: 2020-12-17 16:48:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: ed0679a894f22d47614d28a6836f677b SHA-1: 2f71d50bb196a0c81a2335682c530ecb2ef50a32 SHA-256: 97c66fc81e831e75cb67565daa6bac2b4c83777bcf90f9db032918efd15d035b
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing for a malicious redirector link pointing to 'traffine.ru'. The document body, though heavily obfuscated, contains text related to an 'Indian navy civilian answer key 2019', suggesting a lure. The ML classifier also flagged the PDF as malicious. The primary IOC is the malicious URL used in the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9409

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/wb?keyword=indian%20navy%20civilian%20answer%20key%202019 In PDF document text
    • https://cdn-cms.f-static.net/uploads/4421205/normal_5f9e75d791480.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409243/normal_5fb2d23ad0f0a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4420438/normal_5fcd3fe616382.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4425924/normal_5fd85f0044c6a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4389816/normal_5f93b786091bc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4474734/normal_5fcf425199bab.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4463807/normal_5fd6527c8f6f7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4500447/normal_5fd1fd087ca56.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://static1.squarespace.com/static/5fc06ecff7cf8c75402886b4/t/5fc11c45e18c5c478e2341ec/1606491206042/celebrity_big_brother_season_2_episode_1.pdfIn PDF document text
    • https://s3.amazonaws.com/zedilegol/21431491455.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc115bd5e8e827d428ee316/t/5fc1f340145a8629dcf63b81/1606546242089/72709502096.pdfIn PDF document text
    • https://s3.amazonaws.com/zetare/kasawunotunuz.pdfIn PDF document text
    • https://s3.amazonaws.com/jofunoje/61050439551.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d376.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD376 5672 bytes
SHA-256: 5cf5cbce485eb5fbef90b40570efb4e834d576e4d34d5dd2cf7fbf6ae35ef0f4
font_01_sfnt_off0000e6f4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE6F4 11056 bytes
SHA-256: 103e22dea4a22697503bcd5885bc9d083e3bbf6f6c1aa6e99ebe2b62a898d24e

Open this report in the interactive analyzer, or submit your own file for analysis.