Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a2074cd2f501a33…

MALICIOUS

PDF

47.4 KB Created: 2020-09-16 20:38:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: daf217253bc41d283c49fcc30a9c9297 SHA-1: d7830e9ce372eb89b0404d7df0bc7f1e0211f631 SHA-256: 1a2074cd2f501a33ffc0021ad20f4a1687770f2461a149d7557221d65b931a49
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with several heuristics flagging it as a malicious redirector and an SEO link farm. The primary malicious URL identified is 'https://ttraff.me/wix?keyword=hk+drama+apk+for+tv+box', which likely serves as a lure or initial redirector. The document body, though heavily obfuscated, contains references to 'hk drama apk for tv box', suggesting a lure to download potentially unwanted or malicious applications. The presence of numerous external PDF links indicates a strategy to distribute content or manipulate search results.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=hk+drama+apk+for+tv+box
    • http://files.midnightpigeon.com/uploads/1/3/1/0/131071256/2847289.pdf
    • http://files.learningcafe.us/uploads/1/3/1/4/131437926/ba0b18bcc2e6e.pdf
    • http://daluwixo.samsysgroup.com.au/uploads/1/3/1/3/131384284/newegokaduxi.pdf
    • http://files.wallawallawinelimo.com/uploads/1/3/1/4/131408854/6287708.pdf
    • http://files.freyjapiercingonline.com/uploads/1/3/0/7/130775607/gudufesonexow.pdf
    • http://niwakuzo.rock-n-water.com/uploads/1/3/1/4/131438044/3036214.pdf
    • http://pewanepew.glennorion.com/uploads/1/3/1/6/131637372/segovo_lexevekojax_mekipizeximana_fosapexav.pdf
    • http://files.vinylspec.com/uploads/1/3/1/4/131406717/16c8064acf00.pdf
    • https://4e3232b2-26d2-4b8e-b8c4-5defc0cc80d1.filesusr.com/ugd/0582e0_9da4980fe846496eb3aa43eb4d9e96ea.pdf?index=true
    • https://7b7fa33b-cc36-4e87-9a67-30169471126b.filesusr.com/ugd/665c20_6640187639124a47bf4bde9f7c9d85e1.pdf?index=true
    • https://9ff1e5f7-eaa6-44db-b2a4-82af6c2595d7.filesusr.com/ugd/4b874d_bafc99100d324296b231331692e08fa4.pdf?index=true
    • https://1ac2d501-7579-4cdc-b730-7e474f60ad9a.filesusr.com/ugd/60e703_7d6c6fbae44a43a3814916397246c65d.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0433/7801/6406/files/lanip.pdf
    • https://cdn.shopify.com/s/files/1/0463/5177/7958/files/jarunofusibinilapawenib.pdf
    • https://cdn.shopify.com/s/files/1/0450/4174/6084/files/body_beast_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0431/4673/9868/files/70346291322.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006758.bin
b1c902c102210828ef0ce4cfaf54e87795b5d92e9e46c5dd988327a2c50d3a38		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6758 5712 bytes
font_01_sfnt_off00007ae9.bin
9afc2130273d7e2190e45463bf33b941a305de52dc5cf34d5b1aad9d22efd9f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AE9 5272 bytes
font_02_sfnt_off00008cc1.bin
0afc0b5cb1c525ef9b97ce25547f99e0bf866cf7de80fbccea64614c6cecbafc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CC1 10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.