Malicious PDF — malware analysis report

Static analysis result for SHA-256 06158437e7d1ac09…

MALICIOUS

PDF

42.4 KB Created: 2020-09-01 03:30:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 08157e2c98cdb59b018b0005e0e00821 SHA-1: 7f4fb166e5c994dd54455aad5240140ffffc91b6 SHA-256: 06158437e7d1ac09f4cbbf4d1cfa6432b57a5aeba1dad759f87793679337bed3
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com', which is also present in the document body. The document also exhibits a critical heuristic for requesting recovery secrets, such as private keys or saved passwords, indicating a credential harvesting attempt. The presence of numerous embedded links, many pointing to 'static.usrfiles.com', suggests a link farm designed to obscure the malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=vcenter+5.+5+certificate
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/b8c837_8fe391e1ecc7423fbb588e96e9cb1cfc.pdf
    • https://static.usrfiles.com/ugd/ba3095_8738f5756f08450cb7e7e073f220b8e0.pdf
    • https://static.usrfiles.com/ugd/50de67_1c8b9938696942d29051e8e9a95718cd.pdf
    • https://static.usrfiles.com/ugd/cbe7f7_4c2e5f7def694b23951734f22154a2a8.pdf
    • https://static.usrfiles.com/ugd/b8c837_3716386159e84bb3a521068b19b856cb.pdf
    • https://cdn.shopify.com/s/files/1/0463/0803/2669/files/acrobat_failed_to_load_core_dll_wind.pdf
    • https://cdn.shopify.com/s/files/1/0434/7301/0845/files/totowimap.pdf
    • https://cdn.shopify.com/s/files/1/0432/6254/1982/files/income_tax_fundamentals_2017.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/voxetevew.pdf
    • https://cdn.shopify.com/s/files/1/0431/4637/9426/files/evil_dead_2_torrent.pdf
    • https://cdn.shopify.com/s/files/1/0430/0849/1673/files/59699355068.pdf
    • https://cdn.shopify.com/s/files/1/0430/3791/7333/files/52349856579.pdf
    • https://cdn.shopify.com/s/files/1/0430/2009/1555/files/numibibaxisor.pdf
    • https://cdn.shopify.com/s/files/1/0432/7201/1931/files/29670299711.pdf
    • https://cdn.shopify.com/s/files/1/0431/0981/0343/files/air_water_soil_and_noise_pollution.pdf
    • https://cdn.shopify.com/s/files/1/0434/2218/7685/files/boland_college_employment_application_form.pdf
    • https://cdn.shopify.com/s/files/1/0433/9482/6405/files/47072138389.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000675b.bin
f3954da7fedf1de6652775663e9b98425e0001499e86043bda835e63a4f7c859		 pdf-font-stream PDF embedded font (sfnt) at offset 0x675B 4788 bytes
font_01_sfnt_off000077c8.bin
a6d389af2bddd7e66e5ba64980065cf65f0d73cefcbc99e6e1c5bdf8333460ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77C8 10896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.