Malicious PDF — malware analysis report

Static analysis result for SHA-256 52c4b8d609605140…

MALICIOUS

PDF

40.4 KB Created: 2020-11-05 11:15:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 830cc97d92c42b37294903aec10d7238 SHA-1: 48468380d5b5c7c10b1673cf5461945f78252f5e SHA-256: 52c4b8d609605140da66523606fcbf6647b9d93f0fbdc7f3e9cad87abbac9424
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/123?keyword=golden+son+pdf+free'. The document body also explicitly contains this URL, suggesting the primary purpose is to trick the user into visiting this malicious site. No scripts were extracted, but the presence of the malicious URL strongly indicates a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/123?keyword=golden+son+pdf+free
    • https://kifugezob.weebly.com/uploads/1/3/4/5/134529667/7e0ee1.pdf
    • https://cdn-cms.f-static.net/uploads/4404524/normal_5fa0d785505ba.pdf
    • https://cdn-cms.f-static.net/uploads/4376600/normal_5f8b6afae12eb.pdf
    • https://cdn-cms.f-static.net/uploads/4383308/normal_5f8d8700a5a28.pdf
    • https://cdn-cms.f-static.net/uploads/4426550/normal_5f981fbf96453.pdf
    • https://riwisasivituw.weebly.com/uploads/1/3/1/0/131070703/nulaxedi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0494/2820/1639/files/properties_of_addition_worksheet_grade_7.pdf
    • https://s3.amazonaws.com/gavexilatuvitaz/31461617066.pdf
    • https://s3.amazonaws.com/vibuvomomuv/topumikogasi.pdf
    • https://cdn.shopify.com/s/files/1/0502/5801/8472/files/23338988410.pdf
    • https://s3.amazonaws.com/mukutud/92352863650.pdf
    • https://s3.amazonaws.com/litunux/printable_calendar.pdf
    • https://s3.amazonaws.com/numegubowalonan/kavidix.pdf
    • https://s3.amazonaws.com/muvarelo/fludrocortisone_acetate_dog.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006004.bin
ab7d2538c8cec79c86f36a527648e36f4637a5a7abc27f7fffbe405b6b240887		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6004 4856 bytes
font_01_sfnt_off00007099.bin
89de0ce05905ba00057d94412371c7539c2d51fd7d4c442478990cb933d56914		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7099 10904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.