Malicious PDF — malware analysis report

Static analysis result for SHA-256 1733177b7ef78408…

MALICIOUS

PDF

49.0 KB Created: 2020-07-09 19:38:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 097216be8ff9f45ca2d609434b06d2b4 SHA-1: 4da99672f4dd736fb9b3c9ea9d1c4dccf21b1d4d SHA-256: 1733177b7ef784086f4bd1dca0f90abe8c3efd8d531b0450c61de46d7c406f23
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of embedded links, many of which point to external PDF files, suggesting a link farm or SEO manipulation tactic. One critical heuristic identified a link to known malicious redirector infrastructure at https://ttraff.ru/wb. The document body, though partially obfuscated, also contains this URL and numerous other PDF links, reinforcing the malicious intent to redirect users to potentially harmful sites. No scripts were extracted, but the extensive link farm and redirector usage are strong indicators of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=sine%20law%20problems%20with%20solutions%20pdf
    • http://files.pendulumhealing.com/uploads/1/3/1/8/131858975/gurotimu.pdf
    • http://files.abrushwithnature.studio/uploads/1/3/0/7/130776517/4b065c0728a3.pdf
    • http://files.brunchinparis.com/uploads/1/3/2/7/132740880/d16749e6.pdf
    • http://files.whistlingfrogresort.com/uploads/1/3/2/6/132681002/masaberilanimubaloji.pdf
    • http://files.gbyws.org/uploads/1/3/1/4/131483019/paludizixi-pazibokadelok-xovubonavegazuz-nobuxudisapefod.pdf
    • http://files.balloontwistersdcvamd.com/uploads/1/3/0/9/130969375/gipagazovupibiz_tolokaduwimola.pdf
    • http://files.squareonegoodsco.com/uploads/1/3/2/8/132815154/tasawaz.pdf
    • http://files.stitchedwithcare.com/uploads/1/3/1/3/131383624/dowumi-wefudazebukop-wivavin-tajewowe.pdf
    • http://files.newleaforganizingllc.com/uploads/1/3/1/8/131857071/6418065.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://xalebaxiberu.files.wordpress.com/2020/06/69719415335.pdf
    • https://muwafinatub.files.wordpress.com/2020/06/rufijof.pdf
    • https://pexezixun.files.wordpress.com/2020/07/1988319812.pdf
    • https://miwexelak.files.wordpress.com/2020/06/jovinovufekofumojugev.pdf
    • https://gijuduvi.files.wordpress.com/2020/07/67210297209.pdf
    • https://xizabetone.files.wordpress.com/2020/06/zawipogiluma.pdf
    • https://sarekuxiwaz591622790.files.wordpress.com/2020/07/11447830060.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/59526866216.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/38935964995.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/55742160690.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vevisip.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/73470001672.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/87899810879.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/bararilisubolubudikolumo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b8f.bin
657f1ede4b049576c59dd31d357f7d463dfbe159a363f781e2ecb857effc1a1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B8F 5500 bytes
font_01_sfnt_off00007e11.bin
a606abf7271be1fc84623b5441a0b853966201007890842c6fecd585f5c44e65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E11 10304 bytes
font_02_sfnt_off0000a182.bin
ab6a2d92c6195441154fe03e3add47570783810922a3b82dfc3833ffb97f5f96		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA182 16072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.