Malicious PDF — malware analysis report

Static analysis result for SHA-256 0bdad4c0361982c2…

MALICIOUS

PDF

53.7 KB Created: 2020-10-26 17:20:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3da21812940ef2f6305c36ba139632b SHA-1: 7e5f09d2550cee1bc60ea9389e60a4062932b3ac SHA-256: 0bdad4c0361982c2a04dfd30189f16eab80044fe5a0e6b1abf6ff55f43d32954
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/123?keyword=hospital+games+apk+download'. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the same malicious URL, indicating the primary intent is to redirect the user to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/123?keyword=hospital+games+apk+download
    • https://winomumamo.weebly.com/uploads/1/3/1/0/131070375/7787266.pdf
    • https://moxitasa.weebly.com/uploads/1/3/1/4/131454719/6287688.pdf
    • https://xidepiluzefet.weebly.com/uploads/1/3/4/4/134465828/lonupewokifuro.pdf
    • https://cdn-cms.f-static.net/uploads/4369317/normal_5f8a6ea8f1132.pdf
    • https://cdn-cms.f-static.net/uploads/4366374/normal_5f87ec1eee2be.pdf
    • https://cdn-cms.f-static.net/uploads/4368501/normal_5f93b22477096.pdf
    • https://cdn-cms.f-static.net/uploads/4368238/normal_5f967d87a089f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/83ba13d5-c9c3-4d7b-8afc-7612207ef7d8/dudukumufelupazobiwilakin.pdf
    • https://uploads.strikinglycdn.com/files/1756814d-9b5d-47c0-926e-2d42d68fb0dd/12059172787.pdf
    • https://uploads.strikinglycdn.com/files/808a22ea-83a8-4bab-a721-411f206373f6/95723880439.pdf
    • https://uploads.strikinglycdn.com/files/97600e45-92f5-4ce3-9e5b-fcf44dbf9d3e/funny_birthday_wishes_images.pdf
    • https://uploads.strikinglycdn.com/files/ee08c72f-49e2-43d4-96c8-393314eb8042/25342102354.pdf
    • https://s3.amazonaws.com/zetare/gipoma.pdf
    • https://s3.amazonaws.com/tudawufed/jnc_8_hypertension_guidelines_2018.pdf
    • https://s3.amazonaws.com/woberiz/nelson_s_pediatric_antimicrobial_therapy_2018.pdf
    • https://s3.amazonaws.com/dorulusof/zogipetefuzaxubepitiwobif.pdf
    • https://cdn.shopify.com/s/files/1/0492/3041/3977/files/free_baby_cradle_plans.pdf
    • https://cdn.shopify.com/s/files/1/0437/3551/5290/files/65556200235.pdf
    • https://cdn.shopify.com/s/files/1/0438/1261/8400/files/sociolinguistics_language_and_gender.pdf
    • https://cdn.shopify.com/s/files/1/0502/0362/3585/files/tawamizekudetodexewewuw.pdf
    • https://cdn.shopify.com/s/files/1/0437/6107/4337/files/lesazozog.pdf
    • https://cdn.shopify.com/s/files/1/0481/5768/7959/files/77505283931.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006941.bin
948f8e9ecaa285bb848283b4e858ce6d7a8fab2712398520547d43eaf36fd74b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6941 5300 bytes
font_01_sfnt_off00007b41.bin
97404509490a60211ca9e2a9d0938f9587c784913e8e209f22fc506e5c9860aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B41 4992 bytes
font_02_sfnt_off00008dae.bin
2da805dd1e8e48de9304678bfc1e63d45bc07d2db95814403bcb549a102bb5e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DAE 10420 bytes
font_03_sfnt_off0000b17a.bin
3ac1f21516710853d74583436fb2f0cc0ceb9996a0b12126543e1442527276db		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB17A 16716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.