Malicious PDF — malware analysis report

Static analysis result for SHA-256 51492abd10ff3a41…

MALICIOUS

PDF

43.5 KB Created: 2020-09-09 09:52:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 21743740fd4aef53e9a89eb44a4aeee6 SHA-1: fb70982e670e944995f588714d6d69f7308182a9 SHA-256: 51492abd10ff3a419ac18bfcad0d5034c8ba2c302b29fd137b50ef8d476a141b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple critical heuristics, including PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM, indicating it is designed to host a large number of external links. One of these links, 'https://ttraff.me/wix?keyword=ameixa+seca+informa%25C3%25A7%25C3%25A3o+nutricional', is identified as a malicious redirector. The ML classifier also strongly indicated maliciousness. The document body contains garbled text but includes the malicious URL, suggesting a lure for users to click on the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=ameixa+seca+informa%25C3%25A7%25C3%25A3o+nutricional
    • https://static.usrfiles.com/ugd/91e123_3e4887979f6a4b4aa39532e1fbd03327.pdf
    • https://static.usrfiles.com/ugd/5e8de6_50ac05c568d34118afdbb83cd75caebe.pdf
    • https://static.usrfiles.com/ugd/c33cdb_bd9c2f540b8840d2ae0f8f689050c7c6.pdf
    • https://static.usrfiles.com/ugd/3fc21f_7319f33de301446aafa4802a03305646.pdf
    • https://static.usrfiles.com/ugd/6116da_f565ca7cd87a4a9dbe358257e05d09b6.pdf
    • https://static.usrfiles.com/ugd/2c608b_0f33b430662f4c9b8d94652157443d09.pdf
    • https://static.usrfiles.com/ugd/bca722_ade0adc654e143acbcec027a608a3e63.pdf
    • https://static.usrfiles.com/ugd/565485_aa2e0ffdacb346868b0c660b688ce4bc.pdf
    • https://static.usrfiles.com/ugd/3aca14_a3843eb0a2f74844b4baf1f46aa7cfa4.pdf
    • https://static.usrfiles.com/ugd/fb41f9_1de8c3e0ed1440fd9ea881abb6354f7d.pdf
    • https://static.usrfiles.com/ugd/cbdbb6_e71d3357ad5043a3860f12c75859b3d9.pdf
    • https://static.usrfiles.com/ugd/b8c837_2b20d45d18b94ade923c547aeb79234d.pdf
    • https://static.usrfiles.com/ugd/b8c837_654768dc757848ccb55b075d94197deb.pdf
    • https://static.usrfiles.com/ugd/f967ac_278e45b4c5fc44efaac42a5078ee7c1f.pdf
    • https://static.usrfiles.com/ugd/b54ff4_bf77b0777ace433ab0830e9300456001.pdf
    • https://static.usrfiles.com/ugd/529385_f0aa92833d7c4088b5eb85f9d07d55f0.pdf
    • https://static.usrfiles.com/ugd/362633_12c97fd493fc4463bfb11d460a3cbbe5.pdf
    • https://static.usrfiles.com/ugd/2ca22b_62e48db9f6c54e9293db1cc747dcb060.pdf
    • https://static.usrfiles.com/ugd/1a89c8_59854507d9dd4503bcb22f84e5aed6e7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://static.usrfiles.com/ugd/2ca22b_62e48db9f6c54e9293db1cc747d

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065ac.bin
af8a7c7f32bb3ed66a68d7d3beea8e5b8a1db39085971639c6a7da7a66db8114		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65AC 5584 bytes
font_01_sfnt_off000077b5.bin
9c9e9ae3525c0926ed629d376a9230725f039f1bf135323defa93c24ca863d8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77B5 12672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.