Malicious PDF — malware analysis report

Static analysis result for SHA-256 12316cbcabc6aded…

MALICIOUS

PDF

72.0 KB Created: 2020-09-17 08:32:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ee180812ff8972b2b7dec6a8c0cb1ab SHA-1: ecb840a514df7b1d64043587b026384181ef47e2 SHA-256: 12316cbcabc6aded90fe11fcab3d9168ea2dfaca46cc334d86e5eceea54eed14
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for linking to known malicious redirector infrastructure, specifically a URL containing 'ttraff.link'. It also exhibits characteristics of a PDF link farm, with numerous embedded URLs pointing to external PDF files. The document body, though heavily obfuscated, contains a reference to the same malicious redirector URL, suggesting an attempt to drive traffic to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=rise+of+the+runelords+6+pdf
    • http://tanir.jefferyedoherty.com/uploads/1/3/1/4/131438873/sajebowexolaxe.pdf
    • http://files.ecosphererestorationinstitute.org/uploads/1/3/0/7/130739648/wodiluvabodowi.pdf
    • http://files.lucysartistcottage.com/uploads/1/3/1/4/131437604/kilis.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://c4679b84-3586-4ad9-b14d-6c8a816d968d.filesusr.com/ugd/84a5c6_175355820aaa45759e639e5fc577ae40.pdf?index=true
    • https://fb68bb01-4f6c-4245-85ba-066d3b218f87.filesusr.com/ugd/a86d68_997c3f31e8294fa4b617559f05710f6e.pdf?index=true
    • https://e9e79d79-fc8f-4c35-86df-7a37bb73e540.filesusr.com/ugd/28b3f7_553ebaf57ac24c319a98c737d7ab3659.pdf?index=true
    • https://e96adc2d-d2f9-44db-90cd-6deaa8b5afa2.filesusr.com/ugd/a58b01_e88f73302da044f49a6a76b388696665.pdf?index=true
    • https://621ed028-8d0c-4474-b85b-c0db3a3f6acb.filesusr.com/ugd/1e533a_7c07dae8e608410aabb90b57ae09961c.pdf?index=true
    • https://fd0569d8-f311-47b3-adfa-f26a18dd5310.filesusr.com/ugd/5e8de6_b402b37bac3646e599dfb751247da6d2.pdf?index=true
    • https://d6ebadda-b749-4fe3-9315-a2e97025f3b9.filesusr.com/ugd/90d19e_59c7fc468f5346a5935f775a587d99e3.pdf?index=true
    • https://acad1b30-391d-43bc-ab68-075cf1de2785.filesusr.com/ugd/a42eed_1a52b5421c65444fb2dfd51286a4a0d9.pdf?index=true
    • https://6c9854a8-3e34-4f1c-b326-62e69aff3031.filesusr.com/ugd/008e52_b57bbe1c15e641e7a9a085fef3dcbcf1.pdf?index=true
    • https://4d605e9f-048c-4743-a0b7-4605d6a15f20.filesusr.com/ugd/6a22cb_26792961f30c47a0ba4eb502179a3650.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d19c.bin
8199cb643b9ad47626edaf4cb5defd1b6ebfebfa84d45f0b6aa76b3a63f94c8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD19C 5080 bytes
font_01_sfnt_off0000e2e3.bin
c327c1b4cd8f54d359ce9d6d111b1fd0f0e9bbd1024f8d1c63431ba05a2c328a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2E3 15648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.