Malicious PDF — malware analysis report

Static analysis result for SHA-256 c78f6a885fe5da4f…

MALICIOUS

PDF

69.4 KB Created: 2020-11-22 01:19:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0ef9bc7915b7d41f81b8149b2046655b SHA-1: 1b17b629ed5c189be78bd5e944a22b4a9b7c094a SHA-256: c78f6a885fe5da4ff20221a95d6fa29ef0ec147b1ac0cd38d08ef079fd354c6c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://cctraff.ru/aws?utm_term=bksb+maths+answers+2019'. The ML classifier and ClamAV also flagged this file as malicious, specifically as a phishing trojan. The document body, though heavily obfuscated, suggests a lure related to 'Bksb maths answers 2019', aligning with a phishing pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?utm_term=bksb+maths+answers+2019
    • https://cdn-cms.f-static.net/uploads/4479925/normal_5fb74d658326e.pdf
    • https://cdn-cms.f-static.net/uploads/4384325/normal_5f8f2764552cf.pdf
    • https://cdn-cms.f-static.net/uploads/4367665/normal_5f9019ec9b6b2.pdf
    • https://cdn-cms.f-static.net/uploads/4381737/normal_5f9a21e6b790e.pdf
    • https://cdn-cms.f-static.net/uploads/4366993/normal_5f8b036ded5a0.pdf
    • https://cdn-cms.f-static.net/uploads/4451566/normal_5fae64a5131e3.pdf
    • https://cdn-cms.f-static.net/uploads/4370294/normal_5fa4434f7c7c0.pdf
    • https://cdn-cms.f-static.net/uploads/4485001/normal_5fa755c6be7e0.pdf
    • https://cdn-cms.f-static.net/uploads/4366309/normal_5fa0f2b0405b4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/gomakobez/56007037870.pdf
    • https://s3.amazonaws.com/turip/geomorphology_books_free_download.pdf
    • https://s3.amazonaws.com/lopadivupudexa/adobe_acrobat_reader_dc_continuous.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cfe1.bin
6fa71f46ac2f574494d7bcf91f2712bbfea9bd01d7307c8b67990b1579a91243		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCFE1 5720 bytes
font_01_sfnt_off0000e33c.bin
1c53e91de078ba8740a8452569a277328e413355945d1a57a180b54ae7085579		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE33C 11360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.