Malicious PDF — malware analysis report

Static analysis result for SHA-256 193dd50cc8021944…

MALICIOUS

PDF

40.2 KB Created: 2020-08-12 23:07:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 74634cfa47818b3446b29c1fee45b01f SHA-1: 01057871afe132f6bb47207faaae200f40300b2b SHA-256: 193dd50cc8021944a7b9bcad985ad5375a0ee6306a34b0bbee6b6fddfecfdec8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, with one identified as a malicious redirector pointing to 'https://ttraff.cc/wb?keyword=xml%20schema%20pdf'. The document also hosts a large number of external PDF links, many of which are benign but contribute to a link farm. The primary attack pattern involves luring users to click on these links, which likely leads to further malicious activity. No scripts were extracted, but the presence of the redirector and link farm strongly suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=xml%20schema%20pdf
    • http://files.tdcwebstercity.com/uploads/1/3/2/6/132682813/vukufa-dugolawi.pdf
    • http://files.premiereemcee.com/uploads/1/3/1/6/131606159/874c247a10876.pdf
    • http://files.fitnessfactory1.com/uploads/1/3/2/3/132303359/245713.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zorugeligix.pdf
    • https://cdn.shopify.com/s/files/1/0428/2312/3100/files/2634425908.pdf
    • https://cdn.shopify.com/s/files/1/0435/0060/1504/files/nivon.pdf
    • https://cdn.shopify.com/s/files/1/0431/3926/8774/files/wemunikuvisu.pdf
    • https://cdn.shopify.com/s/files/1/0428/5769/3347/files/anatomy_of_an_earthquake.pdf
    • https://cdn.shopify.com/s/files/1/0430/3863/8241/files/jozanujenixanowotole.pdf
    • https://cdn.shopify.com/s/files/1/0428/4396/3548/files/xarozoreg.pdf
    • https://cdn.shopify.com/s/files/1/0430/8720/0418/files/33949433274.pdf
    • https://cdn.shopify.com/s/files/1/0440/6837/2632/files/2x72_belt_grinder_plans.pdf
    • https://cdn.shopify.com/s/files/1/0429/2119/7724/files/2035950680.pdf
    • https://cdn.shopify.com/s/files/1/0432/3121/5774/files/vawanuxigojunaji.pdf
    • https://cdn.shopify.com/s/files/1/0429/8512/8095/files/1-_99_prayer_guide_osrs.pdf
    • https://cdn.shopify.com/s/files/1/0429/2568/6951/files/movufejivipon.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057bf.bin
d4985f674e5ec333e93cf303ac6ed45b25828dd2595b98b258d9c5afcc195bf9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57BF 5276 bytes
font_01_sfnt_off0000698b.bin
4adfdd0eae71229adcd53f2d8335f36483681b00a1530148b58df155ee11182e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x698B 13560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.