Malicious PDF — malware analysis report

Static analysis result for SHA-256 1dda317b99169b06…

MALICIOUS

PDF

41.6 KB Created: 2020-09-22 00:59:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a986daee55859e1c32ef81e0cd8c8768 SHA-1: dfd64e67f8b9ec4a200892275d6ad2d5106d4679 SHA-256: 1dda317b99169b069e1ddb3a6b7cc38b3b5db7f3c30d5f3ef01567a7807afdea
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF document was flagged by a machine learning classifier and contains numerous embedded links. One link, 'https://ttraff.me/wix?keyword=e30+manual+transmission+brace', points to a known malicious redirector. The document also exhibits characteristics of a link farm, with many URLs pointing to external PDF files hosted on various domains, suggesting a broad phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=e30+manual+transmission+brace
    • http://gedujun.possumtrotchristiancamp.org/uploads/1/3/1/4/131452836/4971799.pdf
    • http://jegiwebel.insulinisgoingdown.com/uploads/1/3/0/8/130814328/nimidiki.pdf
    • http://files.stbxat.com/uploads/1/3/1/6/131637043/ronixisufi-rezem.pdf
    • http://zasid.discounttowelsofhouston.com/uploads/1/3/1/4/131483128/2100350.pdf
    • http://files.bonniegreenconsulting.com/uploads/1/3/1/4/131406744/mutixamosajip-vifegum-rewunitekewaxa-gesanoju.pdf
    • http://pefew.evolvingpartnership.com/uploads/1/3/2/6/132680856/2021221.pdf
    • http://purifatog.valleysinglemaltwhiskyclub.com/uploads/1/3/1/3/131381806/famarobodexo_mulik_bokuvuren.pdf
    • http://tivafefib.littlevandesignstudio.com/uploads/1/3/0/7/130740178/xuxekenuj.pdf
    • https://2fe1dc0b-0f3e-4c77-ac68-12b
    • https://d141205d-1ef2-4858-9ee2-aa161636fc37.filesusr.com/ugd/89c6ad_5616d21c7a704335a991b0c6d41c4fb6.pdf?index=true
    • https://85c82574-29f4-4db5-a747-7b0dc1ee43c0.filesusr.com/ugd/03a576_79d733ab43f1490098be4afcee46ee5a.pdf?index=true
    • https://7425a7ad-a6f1-47aa-a3c1-eb78ff245cc5.filesusr.com/ugd/91e123_e0cdb1eb23cd4de092af95a99dcf00a2.pdf?index=true
    • https://e4d470a8-ee00-4e4c-84b3-9974772c50bb.filesusr.com/ugd/828753_9b918a3befbd424e9e24d9295cef77b8.pdf?index=true
    • https://51b71d68-da10-4561-aacd-c2647be84e42.filesusr.com/ugd/de65f7_0ef1b668236c415fadae60eb2f739570.pdf?index=true
    • https://a20b266d-c793-4c3a-b553-46ca3b6d009b.filesusr.com/ugd/7dd30d_d09cdf31f64c457ca8d48e76fe51bd38.pdf?index=true
    • https://d747fcfb-73f5-4580-b602-ca6c489647ad.filesusr.com/ugd/a2de88_858bf3f14ee74955a33ab6188cd16436.pdf?index=true
    • https://2fe1dc0b-0f3e-4c77-ac68-12b804c0357a.filesusr.com/ugd/cc089a_79741ed2507642f79682960c4a06138d.pdf?index=true
    • https://01f67b36-6ac5-46e7-b272-fb0cf21282e6.filesusr.com/ugd/a2e20a_f9f5894e7a134cbeac1f5d9ce3415676.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000573c.bin
2f946b826379f1c56551669c220ac23a80b8c57bda60f7b83b82f997ea7c479c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x573C 5232 bytes
font_01_sfnt_off000068de.bin
a855c502f08d5374cd41e7752c3fe87b3d0e174fdfa9bb404077f0c7e9cbf5b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68DE 10048 bytes
font_02_sfnt_off00008b40.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B40 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.