Malicious PDF — malware analysis report

Static analysis result for SHA-256 357b12b1c32d277a…

MALICIOUS

PDF

65.6 KB Created: 2020-10-30 03:55:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: a9bb2491e451bc83b234c8e637392fa2 SHA-1: 390bbff7f08d393b48a604f922d34c7d4887da69 SHA-256: 357b12b1c32d277ac1c93def419a2b9c958ec3e647237fac584feec4a4cf605c
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to redirectors designed to obscure the final destination. The primary redirector URL, 'https://ttraff.me/123?keyword=animal+crossing+city+folk+insect+guide', is flagged as malicious. This suggests the document is part of a link farm or SEO manipulation scheme to distribute malware or conduct phishing, masquerading as a helpful guide.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/123?keyword=animal+crossing+city+folk+insect+guide In PDF document text
    • https://cdn-cms.f-static.net/uploads/4365584/normal_5f8a5eade9fcf.pdfIn PDF document text
    • https://lefedatit.weebly.com/uploads/1/3/0/7/130776734/putedesatamuba.pdfIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/888db67b-4121-43f1-bd39-500244e36693/ralibewevofa.pdfIn PDF document text
    • https://s3.amazonaws.com/retisovojor/pals_manual_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6918793b-e554-47b4-a7af-760efc3be8d5/kojetisodepuketojitin.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d144e343-d109-40f8-84bd-2c6589e369fb/budget_wireless_headphones.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a759c531-6b92-49bd-9cf6-bf20280ab6ad/sofumibasoginubugilatu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d571d4cc-c9b0-48d7-9c17-8dd61a04313d/83157518994.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/98c6b4d6-baba-4561-9fc0-6f3b4899813b/fowevibosorunuxifel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01164e13-3a40-4f34-934c-49b2a955e02b/8442021883.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00009039.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9039 17372 bytes
SHA-256: 947ea7b8c2225da26c7f632944ea140bc0d5cc6ce8196c6c90780d969015ae4c
font_00_sfnt_off00007da0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7DA0 5496 bytes
SHA-256: 70ec206eb37b093476c16a00aabcbed2b7ad717355830b54838d8d9747429c61
font_02_sfnt_off0000bf68.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBF68 10088 bytes
SHA-256: f2df4f11acd0c3ef06866bd4dd232242b0f5a22d3e6aa981fa1579386477681a
font_03_sfnt_off0000e21f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE21F 16140 bytes
SHA-256: 159427b32ed66bfbde86def5e6c2992bde67dfb25400c4000a37c9b59b949b61