Malicious PDF — malware analysis report

Static analysis result for SHA-256 123b9c076880ac0b…

MALICIOUS

PDF

50.8 KB Created: 2020-08-16 21:19:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ee56da2d1756a7eefb24fdb8d7c0890e SHA-1: 1d9c2e8b6b9e478d587500b79348dd85be4e1c6d SHA-256: 123b9c076880ac0bfb3eedeaf6b9db04882aa15448a9ff03d5677166db1a7747
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded links that point to a known malicious redirector, ttraff.com. It also features a large number of external PDF links, many of which are hosted on potentially malicious domains. The ML classifier strongly indicated maliciousness, supporting the conclusion that this document is designed to lure users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=lasagna+sheets+vegan
    • http://dirifas.darknessisfalling.com/uploads/1/3/0/7/130776225/gadubovumires.pdf
    • http://files.dx2hk.com/uploads/1/3/1/4/131453387/9083914.pdf
    • http://luwaf.kernowbears.com/uploads/1/3/1/3/131382595/vunukebuverafefuteve.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0429/8568/5153/files/kadovilemakenaxasikod.pdf
    • https://cdn.shopify.com/s/files/1/0431/6482/7805/files/24021727363.pdf
    • https://cdn.shopify.com/s/files/1/0448/8429/5847/files/41828648661.pdf
    • https://cdn.shopify.com/s/files/1/0430/1714/2433/files/julite.pdf
    • https://cdn.shopify.com/s/files/1/0430/5934/7618/files/95724918444.pdf
    • https://cdn.shopify.com/s/files/1/0433/2011/5358/files/29819118254.pdf
    • https://cdn.shopify.com/s/files/1/0437/2001/6024/files/gafobulolonibubukedopukef.pdf
    • https://cdn.shopify.com/s/files/1/0437/3928/3608/files/95619415969.pdf
    • https://cdn.shopify.com/s/files/1/0434/1848/4888/files/tusewuxo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/52733892229.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c37.bin
895e1e41973a7e7706c0279d92cf12dd1941634afe1f41a84c17b3c8c157aa97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C37 4820 bytes
font_01_sfnt_off00007c9e.bin
e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C9E 1800 bytes
font_02_sfnt_off0000852c.bin
7b3051f97b01c7fa6bdbce328507b5e9205f2545ce3e2edcb5e84bd6141c409f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x852C 10024 bytes
font_03_sfnt_off0000a7c0.bin
f08a3c455ed7297ce2c643f721e9e85b0d7bbc15b3e791ac9202f34c10d35c4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA7C0 16108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.