Malicious PDF — malware analysis report

Static analysis result for SHA-256 4831035a1fbd9b77…

MALICIOUS

PDF

56.7 KB Created: 2020-09-19 13:12:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cd67463863ae6781931a55e077325bb5 SHA-1: a8e5d90a1d958512acbc1f5ada6da4098d2a12da SHA-256: 4831035a1fbd9b7776e0dfad42f746c5e3e0e28f214e9cbc83b412be829095aa
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a significant number of embedded URLs, many of which are part of a link farm designed to appear as legitimate content. The primary malicious URL, https://ttraff.link/wix?keyword=ace+no+1+fishing+cheats, is identified as a redirector. The document body, though heavily obfuscated, contains references to "fishing cheats" and the malicious URL, indicating a lure to a phishing or scam page. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=ace+no+1+fishing+cheats
    • http://files.acottagebythesea.net/uploads/1/3/1/3/131398177/5833933.pdf
    • http://files.nicolewellner.com/uploads/1/3/1/4/131437474/25056486e6.pdf
    • http://gitoxul.highfivebooks.org/uploads/1/3/1/3/131383483/vofugukitexonax-roximewijiba.pdf
    • https://127a2a4f-a43c-4a2b-a230-9e49a66987ea.filesusr.com/ugd/6f9b04_661c3a8f19c64ed79567b2e9916c4984.pdf?index=true
    • https://2abc5554-6d2e-4e9a-9c24-97fb13b12cb9.filesusr.com/ugd/b4609a_97c8d2bd6b0b44f2baf42f6d472f960f.pdf?index=true
    • https://e7b6979e-c1f9-40cf-a2a0-5fd2d4dcee02.filesusr.com/ugd/5cd33b_7b15d1ea6c7e4884b9e7b393106c3732.pdf?index=true
    • https://3232192c-134a-413a-a7b6-14c20f9471ef.filesusr.com/ugd/22bf55_5fd9c8c2b30841dcb624100ebe186851.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0435/2399/7856/files/18064392540.pdf
    • https://cdn.shopify.com/s/files/1/0434/4443/7144/files/gotalabubilig.pdf
    • https://cdn.shopify.com/s/files/1/0431/1980/4582/files/accident_investigation_report_fall_from_height.pdf
    • https://354793c7-6574-4ded-a10f-dac2d02e1ead.filesusr.com/ugd/e3c460_1157e52806b54712b4d29c9e99a50c32.pdf?index=true
    • https://4b24db7f-5bc4-4f63-9a63-d36c68114ab3.filesusr.com/ugd/7e84b7_89cb70dcf55f4a53b8ea9fcf0b617109.pdf?index=true
    • https://fd8de924-55d8-43f3-a1ab-4ea418244ec3.filesusr.com/ugd/538d67_af69c2e03e404bf39922e795935b4720.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000663f.bin
599cb6d6f1f0ed9d886d84e93fececa0ea9d6154a50f6ca2fe8ea62bb48bf3ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x663F 5588 bytes
font_01_sfnt_off000079ca.bin
891f10d453cc91ad36648f681c0c3580ed13681cd340ead46d8846f465b1491c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79CA 5056 bytes
font_02_sfnt_off00008b02.bin
149738eb3e1d0bfb4a5732e89a115965e6f0cf3fc4971c694d3ce3619176544d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B02 6148 bytes
font_03_sfnt_off00009ae1.bin
0bb0047ff900575abd1f64d84f5e67b2cedb95a03976817d6591e22018c68a43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9AE1 10736 bytes
font_04_sfnt_off0000bf4c.bin
4baa08769ac31a0a51d511c7d1347f3433fd8666e28fc0139261bdd621bb26f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF4C 16192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.