Malicious PDF — malware analysis report

Static analysis result for SHA-256 14fff22922a01eac…

MALICIOUS

PDF

50.3 KB Created: 2020-08-31 07:18:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 693cb7291ee7d68bd22ad0d5960e1754 SHA-1: ee9022274fd12a48c92d536190072590f4f447e5 SHA-256: 14fff22922a01eacaac43304954ab257a392c115e14398d645ed7d01c9484698
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=engineers+black+book+handbook'. It also exhibits characteristics of a link farm, with numerous embedded URLs. The document body, though heavily obfuscated, contains a reference to the same redirector URL, suggesting an attempt to trick users into visiting it. The presence of embedded URLs and the malicious redirector indicate a likely attempt to deliver a second-stage payload or phish for information.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=engineers+black+book+handbook
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/455f95_d8ae68fd193849d898bde868bcd5be99.pdf
    • https://static.usrfiles.com/ugd/c068f8_6ef050146b264531873f90b94aa9665f.pdf
    • https://static.usrfiles.com/ugd/2f7815_163aae86d195485ba7c2d085fc9eef7e.pdf
    • https://static.usrfiles.com/ugd/8e1900_0aa2487296b34bdaae4c436dea329235.pdf
    • https://static.usrfiles.com/ugd/b8c837_cec5fffabf6c46e29bee0d0afaadb69c.pdf
    • https://static.usrfiles.com/ugd/b47706_6b1f7d424b7c4ef68ad1eb55649238f8.pdf
    • https://static.usrfiles.com/ugd/b8c837_1f625cbcf4794ec5883a050d4165a7bc.pdf
    • https://static.usrfiles.com/ugd/105a8c_2d99edf98af34ce989beba8aac2c04f4.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/liwisubusamepumiv.pdf
    • https://cdn.shopify.com/s/files/1/0438/8493/7384/files/59006959480.pdf
    • https://cdn.shopify.com/s/files/1/0436/4068/4697/files/38807723630.pdf
    • https://static.usrfiles.com/ugd/f523c3_ed1f5ac9393d4959b5103890369e779d.pdf
    • https://static.usrfiles.com/ugd/a2e20a_a8d92fa1783a422bab4e501f427f85a7.pdf
    • https://static.usrfiles.com/ugd/b8c837_f54b854553234c98a5bf2eab1b696b55.pdf
    • https://static.usrfiles.com/ugd/36f25b_2644f67ab96e4bb1b0cc61708b7a71dd.pdf
    • https://static.usrfiles.com/ugd/b8c837_41f77f6964174f279e88c00b328106d1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008500.bin
950225cfd73ddc17248e1fb98a30959ba1f84f72494afea594be7336bd49bc88		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8500 5364 bytes
font_01_sfnt_off00009728.bin
fc09a6e821c45d674d73285f2b82fb400b95bdab2b32e15ba3e6c31d1b2339ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9728 11184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.