Malicious PDF — malware analysis report

Static analysis result for SHA-256 3732f00c976f42e4…

MALICIOUS

PDF

42.0 KB Created: 2020-08-30 06:37:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1fbfa6178e83e57827eb37da07e991f7 SHA-1: 8f25719d3a645dccd1265deec62a14aee5b90c0a SHA-256: 3732f00c976f42e4f08719f7cee8301adac1cc7795baf91fba6a2f3b0e45c39b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious Link

The PDF contains numerous embedded links, with one pointing to a known malicious redirector (ttraff.com). The heuristic firings indicate this is a malicious redirector and part of a link farm, likely designed to distribute further malware or engage in phishing. The ML classifier strongly supports the malicious nature of this PDF. No scripts were extracted, but the extensive linking strategy is sufficient to classify it as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=three+houses+tea+party
    • https://static.usrfiles.com/ugd/6846fe_f71255066b9e42beaa5c7b51f681a926.pdf
    • https://static.usrfiles.com/ugd/b8c837_c33b2911070047f5bcef2f751b8f7695.pdf
    • https://static.usrfiles.com/ugd/b8c837_109163e0a77c40919393e58b29782ac3.pdf
    • https://static.usrfiles.com/ugd/b47706_94811ce180964de0863222bf57bd85d5.pdf
    • https://static.usrfiles.com/ugd/804ff6_1ceaa6d215c946cbbc5bc4710dd729d1.pdf
    • https://static.usrfiles.com/ugd/e6092c_034d8cffc7e24c57a3548f2ed20617ad.pdf
    • https://static.usrfiles.com/ugd/b8c837_854d07ea873f45c381e7c44f16111951.pdf
    • https://static.usrfiles.com/ugd/b8c837_ee9db509fe3b41b8b98ae1688667e26e.pdf
    • https://cdn.shopify.com/s/files/1/0431/7665/7051/files/rudes.pdf
    • https://cdn.shopify.com/s/files/1/0432/3105/1931/files/xiwuguvexilik.pdf
    • https://cdn.shopify.com/s/files/1/0440/6899/5222/files/whatsapp_karna_hai_jaldi_bhejo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000689e.bin
81ec4dcf7722031b8a0cd334fada84f6939ae82fd7f2800aaefae2e8547e26b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x689E 4928 bytes
font_01_sfnt_off0000795e.bin
8fa8a38ea482ad6563954a1bb0f2676bcf3841bc21a1847a85a8d4f87ceb38ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x795E 10036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.