Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ab9fc6b3643f2a5…

MALICIOUS

PDF

46.7 KB Created: 2020-09-07 20:09:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 226571af7c77555b5a2a03b4db70bcf6 SHA-1: bff1ed26fa71e2fddc6911e89ff18174ffd712cc SHA-256: 5ab9fc6b3643f2a5096083f8167c7dabcab8a10dc22839d72ff869d6b3e7db76
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a mass of external links, many of which are SEO-optimized and point to benign content, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.link/wix?keyword=michigan+vehicle+bill+of+sale+pdf', suggesting a lure to disguise malicious activity. The presence of numerous PDF links and a critical redirector link indicates a likely attempt to lead the user to a malicious site, potentially for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=michigan+vehicle+bill+of+sale+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0436/4586/2041/files/cnn_report_on_el_paso_shooting.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xekugoxozeritazol.pdf
    • https://cdn.shopify.com/s/files/1/0438/3876/7266/files/krishna_yajur_veda_brahmana.pdf
    • https://cdn.shopify.com/s/files/1/0438/3748/9309/files/49461478971.pdf
    • https://static.usrfiles.com/ugd/409ca8_c6446339d63546a594e130f58ee3e25e.pdf
    • https://static.usrfiles.com/ugd/d5d855_5645556544f343fa852508b708e778d1.pdf
    • https://static.usrfiles.com/ugd/930050_4d6a7fa9b80245749e13fdffe9dc53bb.pdf
    • https://static.usrfiles.com/ugd/9e53d4_efdb5d4cf5a94d798060e15b02e75d60.pdf
    • https://static.usrfiles.com/ugd/a32c20_c2e2e768432f40cb934136346c3f107f.pdf
    • https://static.usrfiles.com/ugd/429b25_7a8e9f1de4974869979bff8f9dadcb8a.pdf
    • https://static.usrfiles.com/ugd/99b222_3754aa1e93ea45cd99f75fcb0c3d6e4c.pdf
    • https://static.usrfiles.com/ugd/2f7489_92ffe372f53f4c5faebcf6656c4c3164.pdf
    • https://static.usrfiles.com/ugd/9e41f0_cfc7b3ddd1fa4fcfb117fe5bff275c77.pdf
    • https://static.usrfiles.com/ugd/e9cba9_bd9f163e6f634fd5aa9e60162cba2efb.pdf
    • https://static.usrfiles.com/ugd/1c90dc_6c00bd1636a74e5fbcd5e09ed48796cf.pdf
    • https://static.usrfiles.com/ugd/a2ebd8_2bb1d718325443acadf47aa257a7d0cc.pdf
    • https://static.usrfiles.com/ugd/53c654_a73e503d803945788ee97068ef5a3e06.pdf
    • https://static.usrfiles.com/ugd/aa14a9_b4b362e58b9f48b293355be98a5b5fad.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006afb.bin
edeaa878ffcff947745bdf1815e5c8c9575df3d4171d3c13b0b75f1362025cbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AFB 5236 bytes
font_01_sfnt_off00007cc4.bin
e2e64b2cad8c1cee1000f8d7260250042b4548ed087a90f67e9e7606b3ed1e30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CC4 10096 bytes
font_02_sfnt_off00009f5e.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F5E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.