Malicious PDF — malware analysis report

Static analysis result for SHA-256 ade241e6904fe81d…

MALICIOUS

PDF

31.0 KB Created: 2020-10-21 15:00:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aa53e1d1fb424f39d89382da99f4ae62 SHA-1: fcbe987539d40937168808364dc10518fc594556 SHA-256: ade241e6904fe81deb0f77ed9da8ad785bbe9e5467f5ff7b4b5d081a542be521
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://cctraff.ru/pify?keyword=causes+of+ww1+worksheet+ks3'. This URL is likely used to deliver a secondary payload or engage in phishing. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the presence of a malicious URL in the document body indicates a clear intent to redirect the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/pify?keyword=causes+of+ww1+worksheet+ks3
    • https://cdn-cms.f-static.net/uploads/4367650/normal_5f87804b696c5.pdf
    • https://cdn-cms.f-static.net/uploads/4366324/normal_5f8748594f143.pdf
    • https://cdn-cms.f-static.net/uploads/4372076/normal_5f89f1fc65551.pdf
    • https://cdn-cms.f-static.net/uploads/4374976/normal_5f8b34cbb380c.pdf
    • https://cdn-cms.f-static.net/uploads/4367622/normal_5f8fe9cb953e2.pdf
    • https://cdn-cms.f-static.net/uploads/4366319/normal_5f89de7d2e510.pdf
    • https://cdn-cms.f-static.net/uploads/4366354/normal_5f875bfdaaaf5.pdf
    • https://cdn-cms.f-static.net/uploads/4368772/normal_5f8b4a4a3828e.pdf
    • https://cdn-cms.f-static.net/uploads/4383806/normal_5f8ce0c3493cf.pdf
    • https://cdn-cms.f-static.net/uploads/4375702/normal_5f8fa2d4adf7f.pdf
    • https://cdn-cms.f-static.net/uploads/4379848/normal_5f8b180735cae.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a56e24e5-0e6f-40f1-a74c-712723cd57a8/valibexikewamemigelobit.pdf
    • https://uploads.strikinglycdn.com/files/e2181405-3e2a-4d6d-b41c-144969370817/nelit.pdf
    • https://uploads.strikinglycdn.com/files/7e08fcab-bf32-4b80-9cf8-a79f6c315d17/26451745860.pdf
    • https://uploads.strikinglycdn.com/files/822e4e9c-2bca-4aae-aff0-70fc85af7f52/91664876066.pdf
    • https://uploads.strikinglycdn.com/files/89967ef9-74fb-460e-b0db-8704a27af5b9/30949441593.pdf
    • https://uploads.strikinglycdn.com/files/6b132e16-a01e-40be-bdd1-9a0f49244df8/nesojeredu.pdf
    • https://uploads.strikinglycdn.com/files/f4fdcab4-8761-4606-a7b7-d2832d0251b9/farebetivi.pdf
    • https://uploads.strikinglycdn.com/files/b3d9abdb-1764-4849-b84f-bfee3c110146/wimivalot.pdf
    • https://uploads.strikinglycdn.com/files/3c521a59-2d45-496a-89e1-dab5d588f49b/80425279764.pdf
    • https://uploads.strikinglycdn.com/files/1e9ad789-444f-4a02-bb31-b5769e138d23/19712463445.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004edf.bin
8c10755abf21b6e6ffb74580ce93de2550c1638981c4df84e8d70d547693388e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4EDF 5100 bytes
font_01_sfnt_off0000604c.bin
ee5186150b79c1dd9bbdd2f7d5b0fc61b08de9c8c0b178d895f4cc0ee5665bd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x604C 9844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.