Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0cc2b96b6148dcc…

MALICIOUS

PDF

26.0 KB Created: 2020-11-07 23:34:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9cf535ed52ceacf49cd323abec26a08d SHA-1: 47064900844e786ed952aa20eed9265af1445551 SHA-256: f0cc2b96b6148dccfd1a7f9ba07877ce87d41b9bad6ddd270fb0ac6be55c3fc1
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link that redirects to known malicious infrastructure, disguised as an offer for free Minecraft codes. The ML classifier also flagged this PDF as malicious. The embedded URL is the primary indicator of malicious intent, likely leading to a further stage of infection or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=minecraft+windows10+free+codes+list+may+2020
    • https://cdn-cms.f-static.net/uploads/4372355/normal_5f89580b3ed03.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/05650967-420b-4617-90c8-f2dea552ad91/warframe_sola_toroid_farmen.pdf
    • https://uploads.strikinglycdn.com/files/9c3ac536-59a1-488b-be36-8d54d51cc876/sorry_we_missed_you_letter_usps.pdf
    • https://uploads.strikinglycdn.com/files/01d57d9c-a1f5-4871-b3cc-3a80872cbf69/47771955896.pdf
    • https://uploads.strikinglycdn.com/files/d4a0741b-bd05-4b07-b3b6-225c321a2c0d/8x8_post_base_concrete.pdf
    • https://nawazuled.files.wordpress.com/2020/11/duxavavosukenavuloze.pdf
    • https://s3.amazonaws.com/zirojopemup/43741657005.pdf
    • https://uploads.strikinglycdn.com/files/8f7c6641-c17d-49e6-852f-039dfa9e10f1/2018_irs_schedule_d_tax_worksheet.pdf
    • https://xijogonato.files.wordpress.com/2020/11/outlook_out_of_office_android.pdf
    • https://xejajipix.files.wordpress.com/2020/11/aurlie_laflamme_9.pdf
    • https://fizafadolozu.files.wordpress.com/2020/11/31713389540.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004de6.bin
47a587ea30ba86e7315ce308448e628639c40b357414fbf0facc8ba6890f77e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DE6 5692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.