Malicious PDF — malware analysis report

Static analysis result for SHA-256 18988ac6076af2b2…

MALICIOUS

PDF

105.1 KB Created: 2020-08-31 01:52:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 81294e4681aa9499fa1bcd407d307f27 SHA-1: 661a1a6f05cfa4d427a2adb2ef64bb180af3e06a SHA-256: 18988ac6076af2b2dec69a26cdd02f0ea1697a19c9a6aec681549fc84eb9d418
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was flagged as malicious by an ML classifier and contains a large number of embedded links, many of which point to external PDF files. One of the primary links, 'https://ttraff.com/wix?keyword=%25D9%2585%25D8%25B9%25D9%2584%25D9%2588%25D9%2585%25D8%25A7%25D8%25AA+%25D8%25B3%25D9%2585%25D8%25A7%25D9%2586+%25D9%2583%25D8%25A7%25D9%2584%25D9%258A%25D9%2581%25D9%2588%25D8%25B1%25D9%2586%25D9%258A%25D8%25A7', is identified as a known malicious redirector. This suggests the document is designed to lead users to malicious sites or to distribute further malware, likely via a spearphishing attachment vector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=%25D9%2585%25D8%25B9%25D9%2584%25D9%2588%25D9%2585%25D8%25A7%25D8%25AA+%25D8%25B3%25D9%2585%25D8%25A7%25D9%2586+%25D9%2583%25D8%25A7%25D9%2584%25D9%258A%25D9%2581%25D9%2588%25D8%25B1%25D9%2586%25D9%258A%25D8%25A7
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/1f2646_b2a570609dd0472192a18fde0efd81a4.pdf
    • https://static.usrfiles.com/ugd/b8c837_3cc702a799f440158ce52561a5081221.pdf
    • https://static.usrfiles.com/ugd/4c1554_ef42177d432d4c3db051268926a00a93.pdf
    • https://static.usrfiles.com/ugd/b8c837_2e736227da9c45b5bb0b3c9fcb3d05c2.pdf
    • https://static.usrfiles.com/ugd/e2f197_3bebd5abe1a147ab8c4bfbb40f0d80f7.pdf
    • https://static.usrfiles.com/ugd/b8c837_ce2eb99890cb4ec88b7d458bb6da8de4.pdf
    • https://static.usrfiles.com/ugd/63022f_ae4dbe9ab9194198a7ba282010fd23fc.pdf
    • https://static.usrfiles.com/ugd/b8c837_032545bc579f4844a2adcab88841ae67.pdf
    • https://static.usrfiles.com/ugd/68ec51_612fa3fb321a4efabf809a2259f88ae1.pdf
    • https://cdn.shopify.com/s/files/1/0428/0349/5071/files/47768963618.pdf
    • https://cdn.shopify.com/s/files/1/0437/5399/6442/files/conceito_de_abordagem_qualitativa.pdf
    • https://cdn.shopify.com/s/files/1/0438/0835/8561/files/osha_30_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0439/3828/3678/files/antrenmanlarla_matematik_1.pdf
    • https://cdn.shopify.com/s/files/1/0429/7955/7535/files/9th_class_english_grammar_book_free_download.pdf
    • https://static.usrfiles.com/ugd/b8c837_743a26bed5e847c9bbbd96eeb19aa4b5.pdf
    • https://static.usrfiles.com/ugd/6da380_ff7477720d834534897ece3d8198ca0f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00015a56.bin
8c09650db78bc207c1fcb5d8a44daf92160f09ef93f86b6404639ba068033583		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15A56 34016 bytes
font_00_sfnt_off00010efd.bin
ca42d5ed38f04d35f6c6ef927e9c0e2abbbfec64d896d823d531a8752c72a089		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EFD 4068 bytes
font_01_sfnt_off00011cdb.bin
130811244e0738beac586ee7937da76d1d2be2f99bed100a342cd26bc11a1d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CDB 17804 bytes
font_02_sfnt_off000137e7.bin
4f290886eb35133d7e8b90c33a7fefc708e9b1f7184f9d169e6889c501d61031		 pdf-font-stream PDF embedded font (sfnt) at offset 0x137E7 9972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.