Malicious PDF — malware analysis report

Static analysis result for SHA-256 4cc5b62ba53da6c9…

MALICIOUS

PDF

35.5 KB Created: 2020-09-17 23:26:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e2d802905147016b36c37a79e9904ecb SHA-1: 5b6b0e476cc3a51556d5bfc35073034e9e0d6da1 SHA-256: 4cc5b62ba53da6c9336fbd3e32c01c6f76ed9ad4b051d14da183698ddeb9bdce
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to a redirector service. The primary redirector URL, 'https://ttraff.me/wix?keyword=forest+city+high+school+forest+city+ia', is designed to mimic a search result, likely to trick the user into clicking it. The document body, though heavily obfuscated, contains this URL, reinforcing the malicious intent. The presence of numerous links and the ML classifier's high confidence score indicate a deliberate attempt to lead users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=forest+city+high+school+forest+city+ia
    • http://wuduju.kupskorner.com/uploads/1/3/1/4/131454762/nozixapeninogege.pdf
    • http://files.praphitproductions.com/uploads/1/3/0/8/130814132/3455501.pdf
    • https://cc413d4c-838e-40aa-be64-b8e3a5c2d96f.filesusr.com/ugd/1a1092_85cc44843d6c419c86f9616b5e6a0d14.pdf?index=true
    • https://59c79bcd-91bc-4521-8b3f-b9c0e405d698.filesusr.com/ugd/70e7d4_ac5e1f91eb1642f7b7d70ffba2166817.pdf?index=true
    • https://d74abd65-fc05-49bd-8650-c091f6b1b3fa.filesusr.com/ugd/bb05c1_d92a7a16a75a4666bc4126b47b802dd9.pdf?index=true
    • https://69c9d851-fc98-442f-9f57-c7e4a533a680.filesusr.com/ugd/73cb9e_930516fdca7e4cd3b5090ad1dac8562f.pdf?index=true
    • https://13c2c399-77bf-4cdc-bcae-63d9ec391617.filesusr.com/ugd/daca0d_013408f563c14b90a5f7d3fb82a3ca37.pdf?index=true
    • https://c0a3b1e5-a03f-4013-86af-cc2def70293c.filesusr.com/ugd/0a3240_3aafece1047143b28509a4edc7d45e57.pdf?index=true
    • https://1637c2ce-2b6e-43f0-9153-903a86efd820.filesusr.com/ugd/89064d_3cc4a6767bbe4cac9dbfac4ba199f34f.pdf?index=true
    • https://c797ac94-0873-4cd4-a625-c300462c7a99.filesusr.com/ugd/9d869b_704501a809414c48afd2fe754dc8a05e.pdf?index=true
    • https://5400c363-f623-45ef-b8b9-23d5bf1b19a5.filesusr.com/ugd/b3318b_f7983a729e654f97b335ecdef0e5b709.pdf?index=true
    • https://f122ed73-9a5a-4ad7-8001-09c05d778e5f.filesusr.com/ugd/0286dd_fe26f19c76bb4af999ba8fab8de63577.pdf?index=true
    • https://59cab8d1-66fd-457b-868a-7d5faaf9daa8.filesusr.com/ugd/e2c223_309b0760480a457ebf772a9e25da48c3.pdf?index=true
    • https://a127dfe3-5542-4c4b-a26f-613c5eedc96b.filesusr.com/ugd/ccf397_90ea29c256b94587895fca8bf78944a9.pdf?index=true
    • https://71ce7fff-8eb7-4875-8d83-2159b3ca100c.filesusr.com/ugd/717a42_aebceebb869e47bf919b77df90759f40.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://59cab8d1-66fd-457b-868a-7d5faaf9daa8.filesusr.com/ugd/e2c223_309b0760480a457ebf772a9e25da48c3

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004be7.bin
b1c95fecb86b45b5125a46aec81e2e87cba0bad04b3e46b0b3e14ff0bc8577c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BE7 5200 bytes
font_01_sfnt_off00005da2.bin
c50d193d53cfb5744db92d42a4beb3b6c0f0fe1b4e05f346588ef82e384ea0ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DA2 10332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.