Malicious PDF — malware analysis report

Static analysis result for SHA-256 30d21d47b16805cf…

MALICIOUS

PDF

138.1 KB Created: 2020-09-21 16:23:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: f90a544b667b0c37a9a8842b6430a736 SHA-1: 8ea78940bc23def5e36356c0caed3865a4499df0 SHA-256: 30d21d47b16805cf47e6aa1131f0f31a6220775cbffe193a816400d64fab6628
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link to a known malicious redirector, ttraff.com, which is used to lure users with search engine optimized keywords like 'birds of prey full movie free download'. The PDF also contains a mass external PDF link farm, indicating a spam or SEO abuse tactic. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=birds+of+prey+full+movie+free+download+in+tamil In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/2351/0935/files/marvel_strike_force_apk_download.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/8638/8136/files/49508798148.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0439/4260/9051/files/minecraft_pocket_edition_1.0.0_downl.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/3841/1422/files/tanapovagefemezaremuz.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0477/9782/9791/files/81082448206.pdfIn PDF document text
    • https://eb725abb-63a4-49eb-9133-06a5c1dc35fb.filesusr.com/ugd/10a4aa_6cbe00f2501d4b9b86bd2da569413b9e.pdf?index=trueIn PDF document text
    • https://4d3a07bd-3c16-430f-ab23-67734776f6cf.filesusr.com/ugd/dba42a_1fa221727b474724af136699f165a646.pdf?index=trueIn PDF document text
    • https://1b880c0e-d67b-4e18-9b81-cd68d1fa1dd5.filesusr.com/ugd/4fea5c_c523446cf8bc4e3bb82e38ab27cffcbe.pdf?index=trueIn PDF document text
    • https://1b429c51-0865-4f94-9f5a-1ecdbf3c238b.filesusr.com/ugd/1b6cec_5cd672d979a34b41b7c912e083130ca9.pdf?index=trueIn PDF document text
    • https://419600ef-7838-45db-8692-35e87e8b0924.filesusr.com/ugd/e32576_c253cd99fd35413cb5c17ad7ff479337.pdf?index=trueIn PDF document text
    • https://957c14e0-526b-4b94-9d2f-a67074598e9e.filesusr.com/ugd/d43733_c549ee1f28b44c35b72e40c0bb8efc41.pdf?index=trueIn PDF document text
    • https://59dffc3f-fc5d-4a52-aebf-38e6e678a73d.filesusr.com/ugd/24deb6_e70e938cb5744f59bb6d71d88e2dbe18.pdf?index=trueIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/5576/7967/files/55065603317.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0430/0744/3103/files/mosenidoluvitozedimalo.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/6241/7825/files/lewuzaro.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/7554/1919/files/descargar_pin_para_blackberry.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off0001d97b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1D97B 32948 bytes
SHA-256: 12b8ec4b1b9ba26e2d598862dea02c555af0518dc17f86a64bcf6256b60ab179
font_00_sfnt_off00012109.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12109 18156 bytes
SHA-256: f47e2c0c94b91f3ee04f569588bd68936e82a998464a53ff68c12590eb1472f4
font_01_sfnt_off00015bd9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15BD9 5488 bytes
SHA-256: 33770bd6dd4f929f8e3701dc348e679cf513fd258d395ffc9d1feb68f91ddf7e
font_02_sfnt_off00016e4d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16E4D 6836 bytes
SHA-256: fc9b3319ab2c2285d93584ed494702df366c024b91ade3d5ca718b183374b13d
font_03_sfnt_off00017f80.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17F80 18024 bytes
SHA-256: c00480fadc4f754b49ef91506861201b6780e8f1922ef21b9678feeebfa5128b
font_04_sfnt_off0001adaa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1ADAA 13420 bytes
SHA-256: f724f9917b275083ef823d43b793e0ec6e0f9e28cb071fa4bf64731e5635408a