Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ab988d50ffeebe0…

MALICIOUS

PDF

74.0 KB Created: 2020-08-31 03:06:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c6ced8ed4d491d2ebee50782fb01adef SHA-1: 75df1d06ae4e00cdb19ddbc48c8eedc45a544e5d SHA-256: 0ab988d50ffeebe0e19973094a4d87312f5230b3d02ab55d93ec3d633b3a358c
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for linking to known malicious redirector infrastructure, specifically 'ttraff.com'. It also exhibits characteristics of a PDF SEO link farm, embedding numerous external links, one of which points to a potentially malicious URL. The document body, though heavily obfuscated, contains the malicious URL, suggesting an attempt to disguise its true nature. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates a common tactic of instructing users to open a password-protected archive, likely to bypass security scanning.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=saglamindir+net+euro+truck+simulator
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0457/5831/6700/files/emergency_nursing.pdf
    • https://cdn.shopify.com/s/files/1/0457/4612/7004/files/rozegopikemazuveto.pdf
    • https://cdn.shopify.com/s/files/1/0438/6694/7744/files/change_to_jpg.pdf
    • https://cdn.shopify.com/s/files/1/0435/4247/9007/files/bronkitis_gejala.pdf
    • https://static.usrfiles.com/ugd/a382ee_38c5eb448ec94145b11346ed731877e1.pdf
    • https://cdn.shopify.com/s/files/1/0433/6710/4668/files/outlook_2016_trial.pdf
    • https://cdn.shopify.com/s/files/1/0439/0184/5659/files/differential_calculus_by_das_and_mukherjee.pdf
    • https://cdn.shopify.com/s/files/1/0433/3348/4702/files/etea_test_date_sheet_2018.pdf
    • https://cdn.shopify.com/s/files/1/0436/2820/0096/files/rezudiruzozotibur.pdf
    • https://cdn.shopify.com/s/files/1/0429/9476/1877/files/tigusezabanapavixi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b7c9.bin
c63fe1b95103cfe112f4c4bb3a2248afc0181f2c9d5063be13ef0d4985396c8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB7C9 5308 bytes
font_01_sfnt_off0000c9ab.bin
d53ad113c4662ebf0564a906179d3232bb1edb87224909a113af03268cc63fa7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC9AB 13392 bytes
font_02_sfnt_off0000f3ca.bin
1b2ba628f786a6a53a2e347e0c4424ff2728452c1f162074ac3e64c6542c501c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3CA 16616 bytes
font_03_sfnt_off00010a91.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A91 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.