Malicious PDF — malware analysis report

Static analysis result for SHA-256 177b3047c23631fd…

MALICIOUS

PDF

83.7 KB Created: 2020-09-17 18:59:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dc84fd7ab569572b987b93d42322826b SHA-1: f7647ad1678c3caf483cd50f7989b96a67b39fb8 SHA-256: 177b3047c23631fdc2d794820efa043a719bfdad7b52ef55d313ae7bd626ed23
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains numerous embedded links, a common tactic for SEO link farms and malicious redirectors. One prominent URL, https://ttraff.club/wix?keyword=inspiron+660+manual, is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting an attempt to lure users to potentially harmful content under the guise of a product manual. No scripts were extracted, but the PDF structure and embedded links strongly indicate a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=inspiron+660+manual
    • http://files.yisonline.com/uploads/1/3/1/4/131482864/vamobijano_vibaf_dalenevodimi.pdf
    • http://files.dfmmc.com/uploads/1/3/0/8/130814337/dasasil_kepava_tukepakowasem_pisamokig.pdf
    • http://xiziva.mylifeinorder.com/uploads/1/3/2/8/132814930/57a062157.pdf
    • http://musoset.ykiminframaterials.net/uploads/1/3/1/6/131607163/4687440.pdf
    • http://files.toyouinspireflowers.com/uploads/1/3/0/7/130776521/5793582.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nimapudusakodinufuzexive.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/68876684382.pdf
    • https://cdn.shopify.com/s/files/1/0439/4372/3163/files/34864736827.pdf
    • https://cdn.shopify.com/s/files/1/0435/6331/9445/files/busemujosetus.pdf
    • https://cdn.shopify.com/s/files/1/0430/8166/2628/files/valobuvulepisiped.pdf
    • https://cdn.shopify.com/s/files/1/0432/1126/0067/files/79446634059.pdf
    • https://0e3df0e7-2a9f-46fe-a84d-ff655ce40748.filesusr.com/ugd/f46427_289af68011124befaa010ced6de38ccc.pdf?index=true
    • https://9dba4ec2-ad51-4487-bf4c-752f9e2a8955.filesusr.com/ugd/fa32a6_1f6e9105a7e24195ae715b3cd8635649.pdf?index=true
    • https://23bc1084-941f-422a-b525-622c3232063e.filesusr.com/ugd/735189_a42f86b1b215454980551696792bb813.pdf?index=true
    • https://df9ff5da-caa1-42b8-ac01-2d0011c87bae.filesusr.com/ugd/268ab1_aafbab31b0b94613a8aedd40fb0765c2.pdf?index=true
    • https://d2a6f346-9a73-4f55-8223-2028a4242d94.filesusr.com/ugd/ebc5f9_23a2699be1b341d9a891f17695563e18.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000acdd.bin
2929e709c7eb6b2222e961fc1f68cb1b277d9108bb03cf45f4e7208b9558153d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACDD 19940 bytes
font_01_sfnt_off0000ebcf.bin
1bb40ae0b15853bc1e442c86a4115c143bc1de44a2136af7a27e0e4b1b8e232e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBCF 4880 bytes
font_02_sfnt_off0000fc2b.bin
6e8bf4a01dbe174783ef9dde48a081ee2804d7a34ce3709a78953d883993e5b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC2B 17524 bytes
font_03_sfnt_off0001321f.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1321F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.