Malicious PDF — malware analysis report

Static analysis result for SHA-256 1778eadaf1987fae…

MALICIOUS

PDF

72.5 KB Created: 2020-09-18 02:19:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 57a7345f745380f6f60bdd037eddc463 SHA-1: b2f75be33550cb555246c711f1ca436dc4baa17d SHA-256: 1778eadaf1987faef49b1eddf7212443addc099787f643d5fbcb6f1491dfbb94
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, suggesting an attempt to lead the user to a malicious site. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'Ninja Gaiden games on PC' and includes the malicious URL. The presence of numerous other PDF links further indicates a link farm or redirection strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=ninja+gaiden+games+on+pc
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://4cb2020f-0e34-4f7e-a209-1960041b5557.filesusr.com/ugd/e4ff69_2abac78c26734319845e62bcebd0fe9d.pdf?index=true
    • https://4ef2863c-b943-4ad1-a8a6-68dcb75904ff.filesusr.com/ugd/d1d005_cb38566515ee4f1a879a04c3fc7eb1d2.pdf?index=true
    • https://f5899a84-1927-4374-a0a1-65579ccb5f98.filesusr.com/ugd/704566_2505fad2208b465ca501bbaf213e9034.pdf?index=true
    • https://730b2e60-e25f-468e-917d-e6ae40b605b7.filesusr.com/ugd/21e6f2_1f37e0b0397449ff84e1e6b3b111d2ed.pdf?index=true
    • https://dcff85a1-9f73-4044-a829-d91f3768f467.filesusr.com/ugd/b41a9a_6a50179054e94c2da2378a11df53be7c.pdf?index=true
    • https://1b55a4c6-a942-4a05-85c7-05d9c08fefdf.filesusr.com/ugd/83e584_843ea9edc8b84d4d80802e51eebf3ac2.pdf?index=true
    • https://a84c2353-d6d8-45c8-a8e7-f2f68cce814f.filesusr.com/ugd/b463f2_9621fa9c57d04a2680a7c2672b6a8668.pdf?index=true
    • https://6bfa6df9-65f4-400f-bd9f-293a97171181.filesusr.com/ugd/8bc2a6_ea8f942ecda34f43ad701d781767315b.pdf?index=true
    • https://0c820880-1ecc-411c-b57f-6144188bad5d.filesusr.com/ugd/fe0276_f19a914f7f414874b8ccd9e9848109c9.pdf?index=true
    • https://28c18458-7c9f-48f8-80a3-c69e21da8fa9.filesusr.com/ugd/dec231_95e189cd34d94c88b1e5111d0db290a5.pdf?index=true
    • https://54dc7e00-3d4b-4f0c-af4f-3b27545ce313.filesusr.com/ugd/6cf0f5_f8d29ea715a44a26a66105ba3bd7ac83.pdf?index=true
    • https://bab63395-c97d-4abc-b6e7-e1224e2112fa.filesusr.com/ugd/27135d_2123cc376070497c8e0bad78d42faecb.pdf?index=true
    • https://d8a188fe-215c-451b-9f8c-8cdcc7850977.filesusr.com/ugd/83e584_fbed26c2a6774357b7a2289b5161780d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a7ac.bin
a3adf938b18fb9610b8544ca79d9e0757f6913b2c3feef691e5d4d68593b098d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA7AC 12644 bytes
font_01_sfnt_off0000d13b.bin
8c77169b00698e07c0addd42af3aab484766ac5608c3570397eb445adb289bd2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD13B 5016 bytes
font_02_sfnt_off0000e236.bin
63bb1cd62150b1c66f47d7a2e1b7a6dad04aa8d9e83201de515226944996911c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE236 10696 bytes
font_03_sfnt_off000106c4.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106C4 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.