Malicious PDF — malware analysis report

Static analysis result for SHA-256 21d88baabcab03a4…

MALICIOUS

PDF

41.4 KB Created: 2020-09-17 04:04:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0da691b7abfd13636e20cf163298dd89 SHA-1: 327c9bc022a37d8042315c84fb10bc363b3f43da SHA-256: 21d88baabcab03a4a1e80fb31031751cd78980a4e12ede4ee232fd6716beba2a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, including a redirector to 'ttraff.me' which is flagged as malicious. The document body, though heavily obfuscated, contains the URL 'https://ttraff.me/wix?keyword=where+is+pineville+high+school+calendar', suggesting a lure to a malicious site disguised as a search result. The presence of numerous PDF links and the ML classifier's high confidence further support this malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=where+is+pineville+high+school+calendar
    • http://files.katsblissjournal.org/uploads/1/3/2/6/132682167/zedej.pdf
    • http://files.mckinneyinternational.org/uploads/1/3/2/7/132740498/fevutawip.pdf
    • http://files.lawrencemjackson.com/uploads/1/3/1/4/131482884/09461a.pdf
    • http://files.shineondyez.com/uploads/1/3/0/9/130968962/2615004.pdf
    • https://cdn.shopify.com/s/files/1/0435/7193/7439/files/4565754238.pdf
    • https://cdn.shopify.com/s/files/1/0437/1339/6901/files/tekken_7_tier_list_season_3.pdf
    • https://cdn.shopify.com/s/files/1/0433/4747/6648/files/flat_sheet_sizes_in_inches.pdf
    • https://9f151191-b049-427b-a296-b81101ec4174.filesusr.com/ugd/c722c2_1b572d9d45234f1b9d84ccd5b14922a1.pdf?index=true
    • https://8d4be0fe-56fc-47a6-883a-50d8b38550f8.filesusr.com/ugd/895bef_ec9294f30cd540148e4da0f22f0965d4.pdf?index=true
    • https://774d565c-440f-493f-9173-509cb4e02f42.filesusr.com/ugd/143c98_f56e0f5de30847ca94b48b716b89ee86.pdf?index=true
    • https://37be03b1-9f00-4560-adc2-b211873df638.filesusr.com/ugd/c33f71_b4ae758932f3437db3261a09cd43f350.pdf?index=true
    • https://f42c6338-0f0f-4c68-91f7-4093910ec1dc.filesusr.com/ugd/33ab24_53a7cd2571ed4a6ea74397b367c2603e.pdf?index=true
    • https://55cd38ab-cc2f-4ab8-9e9a-181ad073084b.filesusr.com/ugd/3a38e0_63d9a1e4d496425baf055bf406b567fc.pdf?index=true
    • https://4f815d05-d6d0-45fb-935f-32bb6221bcb0.filesusr.com/ugd/f09a9d_d07d664a0ff04c9cb247d62902526c95.pdf?index=true
    • https://6e9b181a-8f22-456b-812f-4c89879c2d08.filesusr.com/ugd/4e977a_96ae28e409524f9e8479e8eac2e5e8bc.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005597.bin
65073cc0e24606881efd8be1a6766a1c0a2bfe26dbfba3e466dc540c8c81b4fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5597 5116 bytes
font_01_sfnt_off000066f4.bin
5bc738f8d28c3ffb3074d7050911b465f73bc58b30d0893d35c027ab0c7fd8cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66F4 10388 bytes
font_02_sfnt_off00008a6b.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A6B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.