Malicious PDF — malware analysis report

Static analysis result for SHA-256 38a8a8e47f9283ac…

MALICIOUS

PDF

74.6 KB Created: 2020-10-25 05:32:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 289d5bf8f1d4785b6ca97593b54f8ee7 SHA-1: d25e994cdbc8948ecd038d8b68b8b4636397b094 SHA-256: 38a8a8e47f9283ac5c52a2df1cd62c945c6639e66092ae58f6d5426f93913ee5
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a mass of external links, with one identified as a malicious redirector. The ML classifier strongly indicated maliciousness. The embedded URL 'https://ttraff.club/123?keyword=l+speed+apk+latest' is the primary indicator of malicious intent, likely serving as a lure for further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/123?keyword=l+speed+apk+latest
    • https://boguvetasitob.weebly.com/uploads/1/3/1/3/131380850/vulefebuz.pdf
    • https://xigokerurubupa.weebly.com/uploads/1/3/4/3/134312623/nigozewogoreda-tejolumu-rusubewemuzufi-dinagixole.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/5b9d1a70-6b5d-40f2-a42f-180e5dcd4306/23023102958.pdf
    • https://uploads.strikinglycdn.com/files/c190f49c-0b8e-4167-8fb1-a6183fdaf216/56949204547.pdf
    • https://uploads.strikinglycdn.com/files/8f5ef41b-d854-45d7-86fd-4827d3801d3d/21127996315.pdf
    • https://uploads.strikinglycdn.com/files/879f1e2d-1c9b-4b93-b5e5-c1145b57c316/55279260879.pdf
    • https://uploads.strikinglycdn.com/files/7c88c55a-5fda-4487-8115-34b06d1bfdc0/45539506743.pdf
    • https://uploads.strikinglycdn.com/files/7847d8c0-f4bc-42b4-8377-994cf8f36860/poxafabiligafoduk.pdf
    • https://uploads.strikinglycdn.com/files/7efd30fe-7f8e-4dd8-8b7a-5de311121629/the_leadership_challenge_6th_ed.pdf
    • https://uploads.strikinglycdn.com/files/30c1b953-193d-4445-ae32-ea5c4018eef8/xivokiki.pdf
    • https://uploads.strikinglycdn.com/files/4bb59480-ae96-411f-ae53-9dd113c728c9/no_direction_home_torrent.pdf
    • https://uploads.strikinglycdn.com/files/bc8772ee-d818-437c-b778-fc607d65b2b2/mobepakedavurego.pdf
    • https://uploads.strikinglycdn.com/files/69e7518a-7829-4c90-8ef8-2af8d04bef88/kaitlyn_big_brother_20.pdf
    • https://uploads.strikinglycdn.com/files/17c93853-a45d-42d2-bc22-fdd07bc6932c/79440140895.pdf
    • https://uploads.strikinglycdn.com/files/b37d2b79-8f98-4d04-9501-697ea92e41d6/lennox_gas_furnace_manual.pdf
    • https://uploads.strikinglycdn.com/files/975253ff-0b6e-495d-879f-e3cbab8871ca/dp_video_dvr_140_manual.pdf
    • https://uploads.strikinglycdn.com/files/886b294d-6b6a-4d11-96f0-892876da5f04/volvo_xc60_hybrid.pdf
    • https://s3.amazonaws.com/petuzutemixuvod/case_study_swot_analysis.pdf
    • https://s3.amazonaws.com/gupuso/boats_and_streams_concept.pdf
    • https://s3.amazonaws.com/mijedusovineti/kromosom_manusia_jurnal.pdf
    • https://s3.amazonaws.com/firigugixujotov/assembler_ensemble.pdf
    • https://s3.amazonaws.com/henghuili-files2/fitly_spoken_developing_effective_communication_and_social_skills.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000dd8f.bin
14759f6083d54f272b69c57fb5b488ed93be743de134afa7467e27d7584405c1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDD8F 28312 bytes
font_00_sfnt_off0000a9d9.bin
c2ee34389bdb4a3122a87d393ce49d20638d3924424f1e4035c5e2bc0263b9f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA9D9 4384 bytes
font_01_sfnt_off0000b8c7.bin
6beb91df08c747551b5130aa2413c4fe3d669e5078e134383d08bae596b3b946		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB8C7 10692 bytes
font_03_sfnt_off00010eee.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EEE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.