Malicious PDF — malware analysis report

Static analysis result for SHA-256 45e4518a947511fd…

MALICIOUS

PDF

69.9 KB Created: 2020-08-30 05:43:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c83ec5bd00d2921572031087a5b7ae82 SHA-1: 7f3667257e7dd062da40897a8951caa101c4a6a1 SHA-256: 45e4518a947511fde88fbfcb670d3d88f5c89a5b2e27ba3f1c9c7ef0d8e84fc5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged as malicious by an ML classifier and contains a significant number of embedded links, with at least one identified as a redirector to known malicious infrastructure. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/wix?keyword=peter+pan+vs+captain+hook+sword+figh', which is also listed as a malicious redirector. The presence of a link farm suggests an attempt to broaden the reach of the malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=peter+pan+vs+captain+hook+sword+figh
    • https://static.usrfiles.com/ugd/7198c1_52c3665bed79443a9db84ee87b79feb7.pdf
    • https://static.usrfiles.com/ugd/b8c837_9204bb1157ed4d6c8c1fa81ea7f6baa1.pdf
    • https://static.usrfiles.com/ugd/b8c837_529e85e8eafa4c27acd767bef33f89b5.pdf
    • https://static.usrfiles.com/ugd/b8c837_1e0d82353fcf42f18595ed52e8a2d523.pdf
    • https://static.usrfiles.com/ugd/bf650e_5eff955be2c94fadbcd0dda3f3a80453.pdf
    • https://static.usrfiles.com/ugd/b8c837_6ca9ee3b85aa4b28a40204dbd0cb6a60.pdf
    • https://static.usrfiles.com/ugd/3cb679_6dc6806244fa4c53be8142c9820d3ac0.pdf
    • https://static.usrfiles.com/ugd/b8c837_2fe25d6526324c378ceb3e72ea834f89.pdf
    • https://static.usrfiles.com/ugd/b8c837_8cccca3c255e402999d60d41ee98f2f7.pdf
    • https://static.usrfiles.com/ugd/accd1f_6d7c4be0100948a1a0110b4d76254297.pdf
    • https://static.usrfiles.com/ugd/b8c837_59240b87a2df4a82886d87d09c4257d1.pdf
    • https://static.usrfiles.com/ugd/a382ee_b106551192eb454097af52180d454c1d.pdf
    • https://static.usrfiles.com/ugd/b8c837_6477cf545f694567a7980cc4a6bc81e6.pdf
    • https://static.usrfiles.com/ugd/77941b_8ce212abfb53457292fcde514f511146.pdf
    • https://cdn.shopify.com/s/files/1/0430/0367/4785/files/diagenesis_of_limestone.pdf
    • https://cdn.shopify.com/s/files/1/0435/3097/7434/files/jumbo_activity_book.pdf
    • https://cdn.shopify.com/s/files/1/0440/3511/3110/files/telecharger_catalogue_oriflame_avril_2020.pdf
    • https://cdn.shopify.com/s/files/1/0436/9799/5941/files/83549470384.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b896.bin
0312b4b5dea41369aecf29c947cff3a4f3e545a43bbe35a973cb824a83fc433c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB896 3700 bytes
font_01_sfnt_off0000c5d1.bin
9650b03086ae50649156be482c3bec3f6be04a736a2a2369f0302a67f62e24cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5D1 5392 bytes
font_02_sfnt_off0000d82d.bin
0385274a79ffc577031c8042de5443e701548feb94dfb80b5a4cf9ad1d3415e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD82D 10276 bytes
font_03_sfnt_off0000fb60.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB60 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.