Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9c74f364d3c8f48…

MALICIOUS

PDF

49.6 KB Created: 2020-10-27 03:59:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93fd48c4dab02db3cf7f61a7411f4525 SHA-1: 8182ae5aa6607ec42d5ea6c1c98d1e40baa8faad SHA-256: c9c74f364d3c8f48b3a953ae5ff95de9a3613e7dd5eb82ee76897ea9f005aaf0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains numerous embedded links, including one pointing to a known malicious redirector at `https://cctraff.ru/123?keyword=kingdom+hearts+3+trophy+guide+dlc`. The document body, though partially corrupted, suggests a lure related to 'Kingdom Hearts 3 trophy guide dlc', aiming to trick users into visiting the malicious URL. The presence of many external PDF links also indicates a link farm, a common tactic for SEO poisoning and traffic redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/123?keyword=kingdom+hearts+3+trophy+guide+dlc
    • https://cdn-cms.f-static.net/uploads/4365608/normal_5f8f7111d31e3.pdf
    • https://cdn-cms.f-static.net/uploads/4401723/normal_5f94def92d8a0.pdf
    • https://cdn-cms.f-static.net/uploads/4379369/normal_5f8a95c02d562.pdf
    • https://cdn-cms.f-static.net/uploads/4382192/normal_5f93a5ec6deec.pdf
    • https://cdn-cms.f-static.net/uploads/4374359/normal_5f96fd4add6d2.pdf
    • https://cdn-cms.f-static.net/uploads/4369518/normal_5f95c9e65665d.pdf
    • https://cdn-cms.f-static.net/uploads/4366376/normal_5f8e6168c35bd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0440/6929/0149/files/penn_book_center_events.pdf
    • https://cdn.shopify.com/s/files/1/0428/1666/7814/files/78650561397.pdf
    • https://cdn.shopify.com/s/files/1/0481/2498/5497/files/chi_omega_everyday_dashboard.pdf
    • https://uploads.strikinglycdn.com/files/cc5e8ab5-e4c3-4730-b222-36cb778f9dc1/femijamuvowavesozakenevan.pdf
    • https://uploads.strikinglycdn.com/files/670768b0-cba9-4e2c-83d6-5e6d09af43e2/52012742236.pdf
    • https://uploads.strikinglycdn.com/files/4065aa64-0af0-4319-bd2d-727f5360cdaa/8990969990.pdf
    • https://uploads.strikinglycdn.com/files/a0cb5bdf-1da6-41c7-83fa-9e068ea8e933/57002231474.pdf
    • https://uploads.strikinglycdn.com/files/2d9a1692-4625-42de-a952-1278b54360d6/41326265993.pdf
    • https://uploads.strikinglycdn.com/files/1ef84273-c664-4b5d-9e07-84653508c0a7/34056053485.pdf
    • https://s3.amazonaws.com/xanebavifamopez/81576306544.pdf
    • https://s3.amazonaws.com/xanebavifamopez/samirovujabu.pdf
    • https://s3.amazonaws.com/kibavutibeved/80500431563.pdf
    • https://s3.amazonaws.com/sefukirexuwekij/concierto_aranjuez_guitar_tab.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b4d.bin
2a5ee1fef7a16e6aa2e0bd19adc442506e3319581b936645f8a85ec2827d683e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B4D 5724 bytes
font_01_sfnt_off00007e94.bin
2aec15e8cc36ae6fa699a061c0bf67cc2c1065f0b5cde9858dabfc42e0ed290c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E94 11012 bytes
font_02_sfnt_off0000a442.bin
d8a1a34de14a7b8fce5e51635835121d353d188f9ac9ce1e11538509fd4c5cdc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA442 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.