Malicious PDF — malware analysis report

Static analysis result for SHA-256 06619374426e2be4…

MALICIOUS

PDF

54.2 KB Created: 2020-07-10 09:43:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f793c5d42c0c96b8915bb3f47e50125d SHA-1: 9f2ecef15c4d71cabb13017e204937a38eccabe3 SHA-256: 06619374426e2be4c2e0b4c17b18164366241511042205ff428d8bc13b77cd27
262 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is classified as malicious and acts as a dropper, likely attempting to redirect users to malicious infrastructure. The document body and heuristics indicate a lure related to PDF compression, but the embedded links, particularly the one to 'ttraff.cc', point to a malicious redirector. The presence of numerous other PDF links suggests a link farm designed to distribute further malicious content or engage in SEO manipulation for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-8977314-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-8977314-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=best%20way%20to%20compress%20pdf%20indesign
    • http://files.super-sounds.com/uploads/1/3/2/7/132740350/monojo.pdf
    • http://files.midwesternsales.com/uploads/1/3/1/4/131453636/suvuzoxatigu.pdf
    • http://files.cornerstonecowboychurch.org/uploads/1/3/1/1/131164524/5542394.pdf
    • http://files.legacyhorselogging.com/uploads/1/3/2/7/132712174/3518122.pdf
    • http://files.thedanceacademyofbarrie.com/uploads/1/3/2/3/132302999/volajalirejonewimefu.pdf
    • http://files.illinoisdelta.org/uploads/1/3/2/6/132681938/2186787.pdf
    • http://files.rachelsvineyardtucson.org/uploads/1/3/1/3/131383664/0714680.pdf
    • http://files.heartpieces.net/uploads/1/3/1/3/131379749/3776242.pdf
    • http://files.scifihistory.net/uploads/1/3/0/8/130874095/4590676.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ginosogoza.files.wordpress.com/2020/06/saxigasewix.pdf
    • https://suzoxafa.files.wordpress.com/2020/06/vidovokiwalutuzabonunon.pdf
    • https://simipoleguw.files.wordpress.com/2020/07/95257771096.pdf
    • https://mifowoxar.files.wordpress.com/2020/07/61876515784.pdf
    • https://xaponajuniz.files.wordpress.com/2020/06/42414453399.pdf
    • https://devejav.files.wordpress.com/2020/07/gasebisiwotejinis.pdf
    • https://fulafemep.files.wordpress.com/2020/06/togolowojexulobudakova.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zixetirubopejama.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/20659662050.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/sosivizugepu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vukabisozudetilo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nelafujadodejofit.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/wugituvunajobi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/viruxirekosarobavogerij.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000095eb.bin
b1c652da419ddcf48c830d6253bdbb99f64a21d79f28be9f8c1fb418ca8c50b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95EB 5472 bytes
font_01_sfnt_off0000a88b.bin
a7637c8e6eeac9399c6275d62d2c4bcd66542454ec285fc8c5fcfa347c8bb74d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA88B 10264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.