PDF malware analysis — malicious · 9fade8da83629f85

MALICIOUS

PDF

46.9 KB Created: 2020-10-15 01:31:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27

MD5: 7ea44efd86898f47923e7a6d76315d9f SHA-1: f3c30eaa533d559869fd4ee7c361f0625c3cea48 SHA-256: 9fade8da83629f85f50674ab7bff1972547140c32661eb65affef6c3a3d88cef

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://cctraff.ru/123?keyword=south+scope+magazine+pdf'. The ML classifier also strongly flagged this PDF as malicious. While no scripts were extracted, the presence of a malicious URL embedded within the document strongly suggests a phishing or malware delivery attempt.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cctraff.ru/123?keyword=south+scope+magazine+pdf In PDF document text
- https://cdn-cms.f-static.net/uploads/4367961/normal_5f8778e925fcb.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367007/normal_5f87750d5f0fe.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366055/normal_5f87393ed3006.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366628/normal_5f874ce2569fa.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367964/normal_5f877931566a6.pdfIn PDF document text
- https://site-1048481.mozfiles.com/files/1048481/17136361701.pdfIn PDF document text
- https://site-1041591.mozfiles.com/files/1041591/nizutinitanewir.pdfIn PDF document text
- https://site-1040125.mozfiles.com/files/1040125/wabipotilozeramiso.pdfIn PDF document text
- https://site-1039149.mozfiles.com/files/1039149/2250442571.pdfIn PDF document text
- https://site-1042282.mozfiles.com/files/1042282/guravaragakivilitopafunen.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366346/normal_5f8741b10ac00.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365653/normal_5f870ab86507c.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/64be6966-9126-4fc5-96bd-713b8ee94ecb/7662936362.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f9a45d7c-19ba-4de6-b480-9ad23e6531da/palalabivubumunidurafopus.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3d75bcd3-b49c-4670-a84b-edc4a51b9b4b/59855717600.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/12a34ab7-0653-4df7-a109-5fcedd4d7db3/8951952103.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a40d5f0a-3b2f-4f76-9ada-6409b897f659/nizugenujogiw.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6791c002-896b-4654-8f50-4f68fafe3b39/14395006518.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/91480f07-c851-4544-95c1-c5fe20b6ef51/30385925130.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/eefa7ca2-6957-45de-8f20-f380563167a1/ruvububonigobofox.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3b138d4d-4fc7-4166-a878-ba0d6d8e87c8/59655594651.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c2fbd323-784b-444d-93b8-b1fcf7117b11/15785682551.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/394be4f8-2042-4a09-a245-d1d5d07d2250/pifupebobefebitiwize.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b1f5c1df-ac7f-4d64-8b07-9849fd71435d/6276662157.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1d7d4ae9-7915-4cf0-b56a-e2fd5e52d77d/79750032648.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/783b472e-d94a-4d8c-a37b-136df5a434a5/zogasologoxalufiraboju.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ad4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6AD4	5476 bytes
SHA-256: `de736d72587bf813c7e3cdef237b6eab03327c6d357c9436ea8f6600d40d2ede`
`font_01_sfnt_off00007d5b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D5B	10164 bytes
SHA-256: `851b67b80fe591a6f5c9a8a38a4d55f5c635cb89d1df96681176c79a9c63ecc7`
`font_02_sfnt_off00009fd6.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9FD6	4324 bytes
SHA-256: `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`

Open this report in the interactive analyzer, or submit your own file for analysis.