Malicious PDF — malware analysis report

Static analysis result for SHA-256 ada8760798ce6ce7…

MALICIOUS

PDF

67.1 KB Created: 2020-10-02 14:25:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 06191996d69791f37fe9c62b1f92f276 SHA-1: f56336d7e9e4450da7da2110fe591773fa83b687 SHA-256: ada8760798ce6ce7d5da110ca8cdde3992c418e3b87bfbc7de7ad1e9feb7b594
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating a malicious redirector link to https://cctraff.ru/strik?keyword=jang+e+siffin+in+urdu+pdf. The ML classifier also strongly flagged this PDF as malicious. The embedded document body, though heavily obfuscated, contains the same URL, reinforcing the malicious intent. The primary attack pattern observed is the use of a malicious link within the document to lure the user to a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=jang+e+siffin+in+urdu+pdf In PDF document text
    • http://giludag.joanstack.com/uploads/1/3/0/8/130813765/5a48cd6e.pdfIn PDF document text
    • http://files.bridgeoflovellc.com/uploads/1/3/1/0/131070867/43bf23ff.pdfIn PDF document text
    • http://files.risingravenband.com/uploads/1/3/1/3/131384018/buvab.pdfIn PDF document text
    • https://site-1039346.mozfiles.com/files/1039346/8919118077.pdfIn PDF document text
    • https://site-1037176.mozfiles.com/files/1037176/kuxotitijivoxelepeta.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/6e3ad173-d83d-4c72-9fa5-475a63fc12db/soziwemaguwilolimaxusul.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4cd666d0-fdac-4bfe-93f5-93857750651e/82703424527.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e35d68db-7c05-4346-9eac-bb31e6e24d38/44360187516.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/147c91dc-f225-4f29-9e98-6c5ab7b97616/43042581397.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cd2bde55-fc60-4b78-b82e-2466f4f807f1/866052818.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b7325c15-abe8-4acc-b7f9-24291882378f/malixal.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f8fd87c1-dd2b-40a5-a54a-0845bd5a0483/gowolubikowiregovo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000d79c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD79C 17236 bytes
SHA-256: 3583c50825acd2c098f55eef90959491571ec42d45b3fefe576f7171cba3b82c
font_00_sfnt_off0000a37d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA37D 4860 bytes
SHA-256: 5c2ed2e6d0a10164a90889d82704af3ca78b9c8f0c09b6593e90902e3bb46b1f
font_01_sfnt_off0000b3fe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB3FE 10556 bytes
SHA-256: 797f2e6cf7ed733e0554f82bf5e000fa160a42b9c18accb264dc3d6869337d18
font_03_sfnt_off0000f0ca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF0CA 4324 bytes
SHA-256: ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230

Open this report in the interactive analyzer, or submit your own file for analysis.