Malicious PDF — malware analysis report

Static analysis result for SHA-256 3835c9e98b0a7c8f…

MALICIOUS

PDF

47.2 KB Created: 2020-11-03 19:59:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a1cc8390c481221a4fb2c2ce8ecc7a7 SHA-1: 6f76eb0bea266f1545248859230befdae81f11be SHA-256: 3835c9e98b0a7c8f1d9c834fb27b634a3d02ed8d2fa5bbd839ecf26e3a6d4eec
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, identified by the 'PDF_MALICIOUS_REDIRECTOR_LINK' heuristic. The ML classifier also strongly flagged this PDF as malicious. The embedded URL 'https://ttraff.club/123?keyword=the+fox+and+the+hound+book' is the primary indicator of malicious intent, likely serving as a lure for phishing or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/123?keyword=the+fox+and+the+hound+book
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/caeb2914-a504-47c9-a63d-9b94a7a3e14f/the_crucible_quotation_worksheet_answers.pdf
    • https://uploads.strikinglycdn.com/files/5cc7c92c-6732-4f19-99db-4566147b26cf/nepojutitaga.pdf
    • https://s3.amazonaws.com/wemupajese/mabozafikisuv.pdf
    • https://uploads.strikinglycdn.com/files/9b4142e1-1c1c-48c7-b626-0ab57d043dbe/19142542084.pdf
    • https://uploads.strikinglycdn.com/files/de4dc94b-4533-4f0e-a00d-aff421441d01/34230056572.pdf
    • https://uploads.strikinglycdn.com/files/889318f7-fb7e-41d0-9c48-a36221101fbd/its_finally_friday_yakuza.pdf
    • https://s3.amazonaws.com/jemazejodep/29907853420.pdf
    • https://s3.amazonaws.com/mujevubutukoxu/16713304981.pdf
    • https://uploads.strikinglycdn.com/files/38073cb1-0328-4ac2-9c00-1b14592efe07/rajepuzuzelekaz.pdf
    • https://s3.amazonaws.com/lupebesu/95784684575.pdf
    • https://s3.amazonaws.com/henghuili-files2/advanced_analytical_techniques.pdf
    • https://s3.amazonaws.com/xipavir/spotted_draft_horses_for_sale.pdf
    • https://uploads.strikinglycdn.com/files/83f7d906-e9ef-4cf6-b305-26ebe6384014/central_new_jersey_escort.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007a2a.bin
d55ecf70894a885a6cad9d9bedd4d8e66073186a0dc918e1485c0d9b808e44f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A2A 4908 bytes
font_01_sfnt_off00008ae2.bin
50d45d3d90fbfbdcb158730ee4000ce6890eaf23d05f152a4ba46121da77f344		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AE2 11100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.