Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b4d2eee826a1031…

MALICIOUS

PDF

48.4 KB Created: 2020-08-30 03:37:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb18186dfc4577b41606e26f2fb7863d SHA-1: 469b1616cd20b6315dcbe941f7d0c75ae112cf7b SHA-256: 5b4d2eee826a103174650a96da127cb5173b84fdccfca1d8feba2637c6bee362
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to ttraff.com. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the same malicious URL, suggesting an attempt to lure the user to a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=my+little+lamb+cradle+n+swing+recall
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://static.usrfiles.com/ugd/bd5c68_c9c5d8fb5498487482c40a66d7d9dc6a.pdf
    • https://static.usrfiles.com/ugd/b8c837_9171afc45e8b4b4cacd8a07933505dd2.pdf
    • https://static.usrfiles.com/ugd/b8c837_535339157c3a470bbe0f33f86c89d5e8.pdf
    • https://cdn.shopify.com/s/files/1/0431/0774/5958/files/xatuwo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/41732402988.pdf
    • https://static.usrfiles.com/ugd/b8c837_c74140e3b1914e63870d22d8e7cf02ed.pdf
    • https://static.usrfiles.com/ugd/b8c837_bbd587d567d54cbfa75066e5bd6bfa59.pdf
    • https://static.usrfiles.com/ugd/289c5e_c29bb85be02f4c20a5e884545bfd7430.pdf
    • https://static.usrfiles.com/ugd/b8c837_cf155e1798dc4d58ad38a62e6c9f8df3.pdf
    • https://static.usrfiles.com/ugd/097bd5_62326d5fd4dd42409818c3b1f8e4f98f.pdf
    • https://cdn.shopify.com/s/files/1/0437/9725/0205/files/40765323443.pdf
    • https://cdn.shopify.com/s/files/1/0435/0273/1430/files/ayushman_bharat_scheme_details_in_kannada.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005886.bin
40ed7a59e93a39a2357a6714e82246a7d8382393c541a7d084f33d2bd6126fa4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5886 5588 bytes
font_01_sfnt_off00006c16.bin
c03c6e48913a4ca426b8e903c0b76105986b54582d4f497396234371732948fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C16 5596 bytes
font_02_sfnt_off00007f14.bin
eca62b72654736461a635ba366d09d794777fd95c58152d2b251becdfce657e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F14 6640 bytes
font_03_sfnt_off000090b1.bin
71a3c14d9837f436b28e1dbf81ae7cabb820510bfdbdab87386fe08e351f4907		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90B1 10492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.