Malicious PDF — malware analysis report

Static analysis result for SHA-256 164f31c8811b69cb…

MALICIOUS

PDF

82.2 KB Created: 2020-09-17 10:51:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cfa6e5d87a053f5f8fe69fc39a6f0b78 SHA-1: b9e7097f7c65eac4212c0015247baee141841210 SHA-256: 164f31c8811b69cbbc5f52d057adeabf43ea412cd344ae957da3b2fb73395f3b
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to a link farm designed to redirect users to other sites. One critical heuristic identified a link to known malicious redirector infrastructure, specifically 'https://ttraff.me/wix?keyword=the+cretan+bull+agatha+christie'. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains a reference to this same URL, suggesting it is a primary lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=the+cretan+bull+agatha+christie
    • http://files.coldharborroadcoc.org/uploads/1/3/0/7/130775186/4133229.pdf
    • http://files.pilatesofweston.com/uploads/1/3/0/8/130814258/puvaruma_bofak_zegujuvuselifel.pdf
    • http://janavif.foundationoflagunawoodsvillage.org/uploads/1/3/1/3/131380942/julawaluf_loxaxejuma.pdf
    • http://files.ourgaitedmountainhorses.com/uploads/1/3/0/7/130738534/c4d0a67ec1e7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://24b141aa-eafd-44a8-a0a4-4e9e40380af5.filesusr.com/ugd/3254bf_a58f391ee67b47c091c4b424091c168b.pdf?index=true
    • https://d0de4984-24ae-4cd3-8ba7-97b2a310525c.filesusr.com/ugd/90d19e_7744913c9bfd4083a123ef4cb8032c75.pdf?index=true
    • https://04a163ac-2f48-47a0-aa43-a64062dc841f.filesusr.com/ugd/575fb0_635156f66f3a40679e39dffa1f739c1e.pdf?index=true
    • https://f1eed0ef-2a3c-40f1-af19-9370d143ccc2.filesusr.com/ugd/61b8bf_0912f714e5014b96a95542fd806fc962.pdf?index=true
    • https://f2dcd06f-f737-4b66-9cab-bf80c11db9ed.filesusr.com/ugd/5b1e3c_bec61dcb64054c718e253b90add69704.pdf?index=true
    • https://a396d42f-cb4e-4a2c-89f4-17d994967ef7.filesusr.com/ugd/50de67_7bbec5ba084f413f8cf5cf1de1c224b6.pdf?index=true
    • https://f690463a-e30a-4828-bc57-1c23cd1b703b.filesusr.com/ugd/95b9ea_387fb694a9ed4328900caff19d5c7dbc.pdf?index=true
    • https://ba48a5b5-053f-4b6a-b0f2-8782e3c2c30e.filesusr.com/ugd/bb10c5_2503b3f0948847c4b5f0e337f90c27b4.pdf?index=true
    • https://a32b4ba1-a77e-464e-8eb1-2565f2a59430.filesusr.com/ugd/3f2390_9826a847d5324da5948a8144257f702f.pdf?index=true
    • https://e811bed0-cde5-49ec-b90f-77f38ccbaed4.filesusr.com/ugd/38eac1_6217a84517d34077af1d3bf6ae9990bc.pdf?index=true
    • https://5ec46c12-5c4b-462f-a738-fd54d8f6a1ea.filesusr.com/ugd/4d548e_7ecd7b318eb644da86cea3dddb9de98b.pdf?index=true
    • https://759dc853-d095-45bf-95df-2670db296be9.filesusr.com/ugd/65e777_088c6a4cac534b7cb4a64b9596abc10e.pdf?index=true
    • https://2ba2246d-b276-4f37-a762-0f5f3724db6e.filesusr.com/ugd/c83fdb_339711d5db114014b1a6313a5a2b707b.pdf?index=true
    • https://b5db7cdd-df09-4411-919b-c2e66c25d67c.filesusr.com/ugd/89064d_a94e77babe6c4a4fab03d05cce6717c3.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001052e.bin
1ef3190c55981718c539d7e417f5a07f9f7f92dd2afa4439b39f8aa2751a699a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1052E 5152 bytes
font_01_sfnt_off000116aa.bin
e70e71586eb3e2cedcb10c90af1752b3818ee1eadfc414a331ea026102b239a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x116AA 10692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.