Malicious PDF — malware analysis report

Static analysis result for SHA-256 06e4e589a10f0017…

MALICIOUS

PDF

37.3 KB Created: 2020-08-30 21:18:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 859860cfdae4ba8e26e67124f18a7c57 SHA-1: d9b95410c196fb558f23a0c86b20e8a347d9c5ab SHA-256: 06e4e589a10f00178228de708659e0c723ad65ce15504109fe88c0b4f1d67fa0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links, with one identified as a malicious redirector pointing to 'ttraff.com'. This suggests the document is designed to lead users to malicious infrastructure, likely for phishing or to download further malware. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=fallout+4+fiberglass+code
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0440/9350/5688/files/17375649222.pdf
    • https://cdn.shopify.com/s/files/1/0427/7701/8524/files/fitbit_manual_flex_2.pdf
    • https://cdn.shopify.com/s/files/1/0434/3064/1826/files/tajerugopufu.pdf
    • https://static.usrfiles.com/ugd/87a178_f037a9fe2c534266bfc42a2dcdcd45b7.pdf
    • https://static.usrfiles.com/ugd/52b593_4f6b7e490bf944dda3ef09663ac9abbc.pdf
    • https://static.usrfiles.com/ugd/b8c837_8e4535b03d7846478409bbabe49bafdb.pdf
    • https://cdn.shopify.com/s/files/1/0433/3328/8091/files/delegation_of_financial_power_bangladesh.pdf
    • https://cdn.shopify.com/s/files/1/0429/1988/7001/files/48638944858.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005456.bin
c2315153bef1b308a7bd08fea2c7e26a025b35ab04943fb4b5c4c3097785e9fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5456 5372 bytes
font_01_sfnt_off000066ad.bin
e1c8c101aaaab84786515312745cb68256e2b45ce2f3937b12739ea4b91605c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66AD 10156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.