Malicious PDF — malware analysis report

Static analysis result for SHA-256 11e670a462291d84…

MALICIOUS

PDF

44.9 KB Created: 2020-09-20 02:09:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 395984bda7f64b7c023533d352b9b19f SHA-1: c107e107fcc3f3c4a9d12c5780b6cf62aeab9cb6 SHA-256: 11e670a462291d84f6d9aeff65b8c24ba6aa13c98342e7a88e2e6c714c43e7f1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to external PDF files, suggesting a link farm or SEO manipulation tactic. One prominent link, 'https://ttraff.link/wix?keyword=reality+through+the+arts+8th+edition+pdf', is identified as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, indicating an attempt to disguise the malicious redirection as a search result. No scripts were extracted, but the presence of numerous external links and a malicious redirector strongly suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=reality+through+the+arts+8th+edition+pdf
    • http://vuwomozu.artculturevs.org/uploads/1/3/1/3/131379394/debazemololumobug.pdf
    • http://fakija.suitlandhsfeasibilitystudy.com/uploads/1/3/1/4/131437375/korumulibogone_dilup.pdf
    • http://nerugunal.bobkloos.com/uploads/1/3/0/8/130814328/6f5119475aac97.pdf
    • http://vezezuri.electricscooterrentalorlando.com/uploads/1/3/0/9/130969465/6296e671489dc.pdf
    • http://widegu.thortorgerudcarpentry.com/uploads/1/3/1/3/131383330/jinadifatori.pdf
    • http://files.paulmorellimusic.com/uploads/1/3/1/8/131871816/3ba65d7.pdf
    • http://files.strikezoneacademy.net/uploads/1/3/1/8/131871501/safetobesunujaduf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/97897646990.pdf
    • https://cdn.shopify.com/s/files/1/0428/1604/5222/files/69118776331.pdf
    • https://cdn.shopify.com/s/files/1/0427/8226/1415/files/13366325458.pdf
    • https://a97ee8a6-d0a3-43a6-a982-3f4ab2c91a4b.filesusr.com/ugd/957eb4_bccefe4cc95941b5812e19490575c060.pdf?index=true
    • https://bc2c2216-2a6e-438a-aa98-0aa44bf2f40a.filesusr.com/ugd/66f3f9_750c466a94b24f738bf5a8e7b44b3b91.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f6f.bin
225234a107a1f0ddd946cb9d658f1286324ecd77104fa2bcaf4c5a30b86012db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F6F 5604 bytes
font_01_sfnt_off00008289.bin
2c3834502eea29ece17ae10937bedd20380641709d858a9b8ceb195b6e3f8b15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8289 10704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.