Malicious PDF — malware analysis report

Static analysis result for SHA-256 04c259b04bbb4652…

MALICIOUS

PDF

40.0 KB Created: 2020-09-20 05:44:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0ad6e66ec30c0d0ababcbe580deabcec SHA-1: 960cb1e7c6fbcc3f25e6ee6acbd9ccf9c5c256bc SHA-256: 04c259b04bbb465265f2a56da4638cd3828807e2f6e34f5471ffd65c799d083b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of embedded links, many of which point to external PDF files hosted on Shopify and other file-sharing services. One prominent link, 'https://ttraff.link/wix?keyword=history+of+atomic+theory+worksheet+answer+key', is identified as a malicious redirector. The document's structure and the presence of numerous links suggest an attempt to manipulate search engine rankings or to distribute malicious content through a link farm, potentially leading users to phishing or malware download sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=history+of+atomic+theory+worksheet+answer+key
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0480/8651/5876/files/boho_salon_answers_nail_technician.pdf
    • https://cdn.shopify.com/s/files/1/0427/5470/3526/files/47947316430.pdf
    • https://cdn.shopify.com/s/files/1/0434/6655/5549/files/manual_cateye_enduro_8_portugues.pdf
    • https://cdn.shopify.com/s/files/1/0431/2956/9429/files/fovufokoka.pdf
    • https://667a287d-c81b-4239-a408-dd6b683f5575.filesusr.com/ugd/22bf55_434ab0f40d0c4668aea735a75799b2be.pdf?index=true
    • https://e2e95761-c4de-480a-abf6-81ae6c8b4886.filesusr.com/ugd/8f6098_82c5ded67de64f9cbd2e9b6ba25195cf.pdf?index=true
    • https://0dc4cfbe-6534-4f83-b0d0-c1ea52d71a86.filesusr.com/ugd/8a9bcc_231d7aa32ffc4189aa57aa4b01348916.pdf?index=true
    • https://94d46565-9287-48ec-85dd-dc9de93b893d.filesusr.com/ugd/9757e7_81d34bbef4534ac7b0eeb147fdc4728c.pdf?index=true
    • https://badfd349-632c-477b-bc1e-9876b082e08d.filesusr.com/ugd/5e5b2a_570bcdc62d1d410093934a1707a6b2e6.pdf?index=true
    • https://3bd6ba18-dc80-4efe-973f-858874beb841.filesusr.com/ugd/9d869b_f38752b0520342498f91b48ed826019e.pdf?index=true
    • https://d3137fc0-c17a-4cdc-a2de-7dbaa488d798.filesusr.com/ugd/d8966e_74d9f8569ea948a6933d762843d19934.pdf?index=true
    • https://40c10260-9432-4e7e-a0f2-914682cbbdbe.filesusr.com/ugd/e1d12c_d75decf890f945f6a883186f665d580d.pdf?index=true
    • https://f2af418c-fe8a-4a06-961c-4dfa1c4eac18.filesusr.com/ugd/221eaa_01215cd1faa74335b7b9defa812f3ab4.pdf?index=true
    • https://db5bcc61-55f1-48c0-ac34-8da608722411.filesusr.com/ugd/54b9a1_a486d12f678b4598aa5a2a6fc9c5d633.pdf?index=true
    • https://6cc1c252-1b8e-4765-8c40-f277ef8d2abb.filesusr.com/ugd/338562_8623212521e545fb8641c837caa95e78.pdf?index=true
    • https://df0af89a-881d-4546-86cf-e7b1b8c30572.filesusr.com/ugd/595093_ab3fce2e98f34c109f70fb9f2e7e7bc2.pdf?index=true
    • https://1b5f08d2-fc82-4c10-a2e1-6a21d1e77a66.filesusr.com/ugd/c0b427_7a595a0209b04321865aa3584531358e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e03.bin
e6952087f33cb726451dad3ca80f91ad82c6baea856662dfeabfc74cab629ca3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E03 5308 bytes
font_01_sfnt_off00006fff.bin
4d2f4cb9e43b26b29f7af19f9b7c4c0a00e9f0fe2ef9138a12929a63efe7d5ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FFF 10168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.