Malicious PDF — malware analysis report

Static analysis result for SHA-256 096bbef24b4c76a4…

MALICIOUS

PDF

60.2 KB Created: 2020-09-03 14:40:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1eebe91f06ecdac6bc0c8ccaa87532ee SHA-1: e3648e71251a822f0963541c28e44988479bc595 SHA-256: 096bbef24b4c76a495b1c87c8ca0f889dccbcfa04655c816a543625213ce146f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a high number of embedded links, with a critical heuristic firing for a malicious redirector. The primary malicious URL identified is ttraff.com, which is likely used to redirect users to further malicious content or phishing pages. While no scripts were explicitly extracted, the PDF structure and link farm suggest an attempt to drive traffic to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=field+guide+traduction+francais
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://cdn.shopify.com/s/files/1/0435/8999/2616/files/91993240398.pdf
    • https://cdn.shopify.com/s/files/1/0435/6381/0975/files/652499556.pdf
    • https://cdn.shopify.com/s/files/1/0428/4763/3575/files/71801156906.pdf
    • https://cdn.shopify.com/s/files/1/0433/7739/3815/files/22417401836.pdf
    • https://cdn.shopify.com/s/files/1/0444/1980/9447/files/dynamic_memory_allocation_in_c_free_download.pdf
    • https://static.usrfiles.com/ugd/b8c837_de6a9f99c7c0493fa650c6c807b30ed6.pdf
    • https://static.usrfiles.com/ugd/724fb5_156ed0a8115d4e45a23cbf815706af53.pdf
    • https://cdn.shopify.com/s/files/1/0437/9040/1685/files/chopin_sheet_music_etude.pdf
    • https://cdn.shopify.com/s/files/1/0427/5086/9671/files/xevobaremafu.pdf
    • https://static.usrfiles.com/ugd/7182f3_9c2ee2e787744a1ca2293bad9acb4ce4.pdf
    • https://static.usrfiles.com/ugd/e3834b_4d4ab5d0e80a4e76838568a493ece4ea.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fdc.bin
cd0876d919fb86270360726442b71504c6d5d63b56c71a46a874ccc827f42af0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FDC 8892 bytes
font_01_sfnt_off00007da8.bin
2cca98be28c55944bd525bd051ee19200561e7f2c0f9a373ca3c12a8c5a576d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DA8 5144 bytes
font_02_sfnt_off00008f34.bin
a5bede1824280680dd0fc4b6a1debc7eddff7f7ae601d0c57fcb2c3e8bbf3175		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F34 8044 bytes
font_03_sfnt_off0000a53d.bin
54aa8d0ab75edd1c9fc1d4aa4ee0462eb7b64c450d489b7bdce697d693d883ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA53D 11200 bytes
font_04_sfnt_off0000c9da.bin
04bed771a0d480d2c853bd4a3c866e86ee876b6621f8c0efe5ef73a33f63fb6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC9DA 17324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.