Malicious PDF — malware analysis report

Static analysis result for SHA-256 1688476dbdb6bb61…

MALICIOUS

PDF

49.1 KB Created: 2020-08-04 20:29:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ccb77b76915b2f3758ecfbaa9d5a4086 SHA-1: 2abeed3db84c4cfb5ffb08e8f01e1a741ce478a3 SHA-256: 1688476dbdb6bb61f8b77d58fa96fea0f60e491d05f087c43b91dd64a265af10
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, many pointing to what appears to be a link farm designed to host other PDF documents. One critical finding is a link to a known malicious redirector, ttraff.ru, which likely serves as a gateway to further malicious content. The ML classifier strongly indicates maliciousness, supporting the conclusion that this document is part of a phishing or redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=thrilling+wonder+stories+pdf
    • http://xufosego.myfinalsnotes.com/uploads/1/3/1/3/131380729/tunogemazupilem.pdf
    • http://files.homegrownpets.com/uploads/1/3/1/4/131409074/835770.pdf
    • http://files.glenmoreparkbrumbiesjuniorrugbyleaguefootballclub.com.au/uploads/1/3/0/8/130874326/wufukerepubexa.pdf
    • http://files.hammellwinealliance.com/uploads/1/3/0/7/130775627/3780453.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0428/4815/7859/files/94484709459.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/9142282406.pdf
    • https://cdn.shopify.com/s/files/1/0428/3462/4679/files/89626370496.pdf
    • https://cdn.shopify.com/s/files/1/0430/6799/8362/files/60_second_science.pdf
    • https://cdn.shopify.com/s/files/1/0430/5184/3737/files/retunafamuru.pdf
    • https://cdn.shopify.com/s/files/1/0431/0161/8330/files/sliding_window_maximum.pdf
    • https://cdn.shopify.com/s/files/1/0440/6591/5032/files/steam_disk_write_error.pdf
    • https://cdn.shopify.com/s/files/1/0438/4574/6838/files/41221054935.pdf
    • https://cdn.shopify.com/s/files/1/0429/7015/3113/files/87984130484.pdf
    • https://cdn.shopify.com/s/files/1/0437/5740/4309/files/58934766667.pdf
    • https://cdn.shopify.com/s/files/1/0429/5163/9196/files/69587739316.pdf
    • https://cdn.shopify.com/s/files/1/0439/2956/7387/files/gujivijerotijiworakonejal.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007646.bin
0f71049b85a64469ceca68157c43859b794704af62cb13e018d7144f88496a6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7646 4920 bytes
font_01_sfnt_off00008706.bin
d7fd51405753ff88c02b03832e57667a1eff64898067ae500521b420b28f64cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8706 10040 bytes
font_02_sfnt_off0000a974.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA974 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.