Malicious PDF — malware analysis report

Static analysis result for SHA-256 afe293939abb516b…

MALICIOUS

PDF

53.7 KB Created: 2020-10-27 13:29:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: 3f43fa99551231c5148f64d01d3c76f3 SHA-1: 239d28c4b7add69aef4884584fbe7ead373b1f66 SHA-256: afe293939abb516b879790a03d6f3cf41f132f5fb0704caa59c2dea9e8c5a768
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a high number of embedded links, many of which point to external resources, indicating a link farm or SEO poisoning attempt. The primary URL, https://cctraff.ru/strik?keyword=puzzle+and+dragons+tier+list+altema, is flagged as a malicious redirector. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the document body and heuristics suggest a lure to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=puzzle+and+dragons+tier+list+altema In PDF document text
    • https://cdn-cms.f-static.net/uploads/4375341/normal_5f8a870d4326d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366009/normal_5f8f130963ad8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384143/normal_5f9081cc5f0a2.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/lebaxa/thyroid_hormone_regulation.pdfIn PDF document text
    • https://s3.amazonaws.com/zuxadol/cardiac_arrest.pdfIn PDF document text
    • https://s3.amazonaws.com/dinilederu/15599286238.pdfIn PDF document text
    • https://s3.amazonaws.com/saziwijaxodav/18512118501.pdfIn PDF document text
    • https://s3.amazonaws.com/pugomonapoxuxe/bahishti_zewar_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2cc5b679-226d-4b47-9d0f-d87b9cde1e21/61165213919.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bda23b0a-cc0c-4646-bd24-2bed87265578/60500941000.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/46b49b71-1b24-4c80-9801-268a3d0ab7ef/15225400957.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1af6e76f-dc95-4ff1-ad93-777a586eb9ca/noparu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3b401ce2-a769-45aa-85c7-b2cad890b94a/97928380778.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3c483e4f-3842-4ac6-9e32-d214aa3563af/56728062099.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/92e04374-3dab-494c-ab28-6dfa6225985f/xuxawawodasufabizumow.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0501/0010/9507/files/sosuziselilex.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0501/9005/7647/files/acls_provider_manual_2020_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/18dbb2dc-f430-4d64-b4fa-a4b05418f83c/lebopu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8939d8b7-3d18-4bf9-924d-387dc9ab319a/85876173045.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7bd01acf-217f-491a-8300-382670a106cd/melufavuxubalujipuxidavij.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3b0ff29e-f70d-409c-a18d-47523e125a96/tewalozoga.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6E8A 5076 bytes
SHA-256: 9d72e9f5f6c1234ffaebd1c6af1cba078bcf957f0b599b2cae8aea360fb5db0b
font_01_sfnt_off00007fb3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7FB3 11528 bytes
SHA-256: 674bc81f3f96380a75a67cfe383a7ae7c9be0c458b8b30b8e289019e34eb603d
font_02_sfnt_off0000a631.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA631 16092 bytes
SHA-256: 9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2
font_03_sfnt_off0000baf8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBAF8 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378