Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2120e3610ae21a8…

MALICIOUS

PDF

26.0 KB Created: 2020-11-01 11:16:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b3664931d2813c05a8a89ef64dd0ef41 SHA-1: 0358137626bd3c943d408c614798198c93116e4b SHA-256: f2120e3610ae21a83ba509ff4560f14c9e04baf7aac34c090c56e8844c0166dd
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The ML classifier also strongly flagged this PDF as malicious. The embedded URLs, particularly https://cctraff.ru/aws?keyword=la+prueba+del+cielo+pdf, are likely used to funnel victims to malicious sites. No scripts were extracted, but the presence of malicious links within the document body strongly suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=la+prueba+del+cielo+pdf
    • https://kubupukadumu.weebly.com/uploads/1/3/1/3/131382740/xusuvawatetibuteb.pdf
    • https://cdn-cms.f-static.net/uploads/4376858/normal_5f8fd2936abbc.pdf
    • https://cdn-cms.f-static.net/uploads/4407316/normal_5f9de6c2adf1f.pdf
    • https://cdn-cms.f-static.net/uploads/4377403/normal_5f912f3b14e1a.pdf
    • https://cdn-cms.f-static.net/uploads/4366399/normal_5f99a6ef72b92.pdf
    • https://cdn-cms.f-static.net/uploads/4381529/normal_5f917ad22d1ad.pdf
    • https://cdn-cms.f-static.net/uploads/4413705/normal_5f95e104985c3.pdf
    • https://cdn-cms.f-static.net/uploads/4389355/normal_5f95c673cc0ec.pdf
    • https://nuzilemuf.weebly.com/uploads/1/3/4/4/134479477/wetegegejoj-nudifene-neravexuxelo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8ed2802b-aef4-4c0d-a34c-97e331ac43d3/marojojabafonux.pdf
    • https://s3.amazonaws.com/giwurode/26812735271.pdf
    • https://s3.amazonaws.com/bejeseja/catalizadores_heterogeneos.pdf
    • https://uploads.strikinglycdn.com/files/17415e99-b3d6-4393-a4d6-ec7de62ea399/lojiwinotixop.pdf
    • https://uploads.strikinglycdn.com/files/784e5cd1-589c-432d-9774-c15649b8bc09/vuxizuxono.pdf
    • https://uploads.strikinglycdn.com/files/e6311f06-be02-4e86-8423-c1851b01cc27/3057990185.pdf
    • https://uploads.strikinglycdn.com/files/1c09f9e2-cc77-4ab1-a7ae-072357f2f46e/99482802853.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005583.bin
4de2e6107c3a4ed62677365f4c2dd0f816531c2bc9e48e6c61c74ebf89768b51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5583 5052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.