Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0f6d014ce5d872f…

MALICIOUS

PDF

46.3 KB Created: 2020-10-28 08:18:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-29
MD5: 0323b1ac13524409387908bc4c6d3446 SHA-1: b936259deea8862c2b7d5ae868fa92014ed63bf3 SHA-256: c0f6d014ce5d872fef4e227c353a6ba1fadb0708413235f9748bb35c272972ea
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by an ML classifier and contains a critical heuristic indicating a redirector link to a known malicious URL. The document body, though heavily obfuscated, contains the same suspicious URL. This suggests the primary purpose is to lure the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/123?keyword=composicion+del+aire+alveolar+y+atmosferico In PDF document text
    • https://cdn-cms.f-static.net/uploads/4369150/normal_5f8913592a492.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377100/normal_5f8d393a62396.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383795/normal_5f8c2c59784b1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387712/normal_5f968c3621f1c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374700/normal_5f899acf6f562.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380699/normal_5f8e7842be150.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387056/normal_5f98abe5ccb09.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384820/normal_5f96c63d0e0ec.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/jukezeluf/10954541459.pdfIn PDF document text
    • https://s3.amazonaws.com/baritexovopa/40516442558.pdfIn PDF document text
    • https://s3.amazonaws.com/saxefi/34693478313.pdfIn PDF document text
    • https://s3.amazonaws.com/kavitokolezub/thinking_with_type_download_ebook.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5cd4c3b7-c6ed-49d3-aa02-5f15b9a0cb1d/pazaruf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7633d325-cfe2-49be-9595-62d9337c8e99/call_of_duty_fanfiction_crossover.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d06d5ee5-93e0-47d9-8206-2fe76cd63378/25188523260.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ff0aa02-3a4a-4ee8-94db-0f3d79690a95/letimevoxizumozijogafik.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a03a42ea-0a1e-4136-82f5-2af26c729540/zumepek.pdfIn PDF document text
    • https://s3.amazonaws.com/zalomi/bland_diet_for_diarrhea.pdfIn PDF document text
    • https://s3.amazonaws.com/zirojopemup/nato_phonetic_alphabet_printable.pdfIn PDF document text
    • https://s3.amazonaws.com/zijivevip/fingerprint_recognition_biometrics.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3425be89-e193-4869-bf90-14a21ca357dc/fovevidujuberiz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/53542001-3191-496b-82de-a2ccfc2e99bb/58398889099.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1fc69120-dd62-48af-b3af-e9e055d79974/38689509724.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7e40754d-d536-43b6-aa2f-65a18a75de5f/vujunogakefibeneboko.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071c4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x71C4 5368 bytes
SHA-256: a1a4a99ac3c6878c29a147bf235a85eb1db9df01e6a133c735b19371ad416f29
font_01_sfnt_off000083f6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x83F6 11488 bytes
SHA-256: 8e0b10433bea0b8cfe6a24ed136fae1d35ac9ebd4bd68e5a8de6369ad323b885

Open this report in the interactive analyzer, or submit your own file for analysis.