Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3b324320fe8892c…

MALICIOUS

PDF

42.7 KB Created: 2020-10-17 07:56:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-04
MD5: 098a4e975fe507c936575b3c8ed99bec SHA-1: bb23c0f846580c5d2bf09379d2b1ef598e6cdbd7 SHA-256: d3b324320fe8892c4c601f6b9c0beabfa966055447132fe64af96b6ebac18c0e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to external PDF files, suggesting a link farm or SEO manipulation tactic. One prominent URL, 'https://cctraff.ru/strik?keyword=crazy+little+thing+called+love+queen+chords+pdf', is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL and other benign-looking PDF links, reinforcing the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=crazy+little+thing+called+love+queen+chords+pdf In PDF document text
    • https://cdn-cms.f-static.net/uploads/4368977/normal_5f8a1202eb045.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367633/normal_5f886d4c18896.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/7a42b47d-2159-4b1f-adc8-425604549195/gowakedenepigulosaz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/44959cba-7523-4123-b9f1-1683d50864af/ligugiwowibevalomowu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2f7b851-2694-46bc-8dd0-2fab54ed0f42/zapapadamudezabunopotasul.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/80ad2db2-b8dd-4431-a34a-2fa7d570bd66/7326095838.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/7424/8101/files/y_not_stop.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/6277/1366/files/39039400534.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/0987/0493/files/67676231239.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0477/5424/8348/files/51397363410.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0500/1392/9630/files/possessive_noun_exercises.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/9916/8163/files/91903922938.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/1425/7815/files/75310649203.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0430/9473/7045/files/pumugotixurarixaxizal.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c3acbdbd-5043-43ef-8f1d-358ebbfa132e/18645235432.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2515c5bb-1071-442c-8ea2-4d5af35db9aa/rolarubobekakufa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d2f24f0a-4430-41ec-b824-08f7981e19eb/xuzinapozolezivewivuze.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2cb5fd80-7911-411b-adae-439900d20143/logenobulomujimo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4ff4ec3a-3e26-4fea-92c7-89ff439cafdb/sibusuzobugivofijiwip.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005de9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5DE9 5660 bytes
SHA-256: 54e295e8926cc33f6318915bcb852640ec5a664fca3245e2fafc4fab986bea3a
font_01_sfnt_off0000712e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x712E 14276 bytes
SHA-256: 2a3375f64c5f0a8340757c00778e05898749b8f0840d3f488abf1333e8099f8a