Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e114a4b8649311f…

MALICIOUS

PDF

289.2 KB Created: 2020-09-18 01:15:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 28afeb2a54dce90fe4f1371082fe509a SHA-1: 0cf7474fd453471eae21137b1ebd0d4bc3488fcf SHA-256: 5e114a4b8649311f6bc8323b61206d5e59e56fe8fe294b3a09012075944b1666
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and contains a critical heuristic indicating a link to known malicious redirector infrastructure. The embedded URL, https://ttraff.club/wix?keyword=%25D9%2585%25D9%2586+%25D8%25A7%25D9%2582%25D9%2588%25D8%25A7%25D9%2584+%25D8%25B9%25D9%2584%25D9%258A+%25D8%25A8%25D9%2586+%25D8%25A7%25D8%25A8%25D9%258A+%25D8%25B7%25D8%25A7%25D9%2584%25D8%25A8+%25D8%25B9%25D9%2586+%25D8%25A7%25D9%2584%25D9%2586%25D8%25B3%25D8%25A7%25D8%25A1, is the primary indicator of malicious intent. Although no scripts were explicitly extracted, the PDF structure and the malicious link suggest it is designed to redirect users to a malicious site, likely as part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=%25D9%2585%25D9%2586+%25D8%25A7%25D9%2582%25D9%2588%25D8%25A7%25D9%2584+%25D8%25B9%25D9%2584%25D9%258A+%25D8%25A8%25D9%2586+%25D8%25A7%25D8%25A8%25D9%258A+%25D8%25B7%25D8%25A7%25D9%2584%25D8%25A8+%25D8%25B9%25D9%2586+%25D8%25A7%25D9%2584%25D9%2586%25D8%25B3%25D8%25A7%25D8%25A1
    • http://files.drakosden.com/uploads/1/3/2/6/132695329/cbab0.pdf
    • http://tizusi.thinknwonder.org/uploads/1/3/1/3/131380065/fidimepovidominoni.pdf
    • http://favapulal.longtimers.com/uploads/1/3/1/3/131384492/surozalatuzeg.pdf
    • http://bipapod.jostkatsound.com/uploads/1/3/1/3/131383837/2307197.pdf
    • http://risurod.vintuitivewmt.com/uploads/1/3/0/7/130739655/dadovutarirebubi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0437/5530/7159/files/2046735625.pdf
    • https://cdn.shopify.com/s/files/1/0430/3824/5017/files/27086817559.pdf
    • https://cdn.shopify.com/s/files/1/0434/3519/6568/files/gewejetakabuzegukova.pdf
    • https://cdn.shopify.com/s/files/1/0431/4310/2613/files/request._id_socketio_server.pdf
    • https://cdn.shopify.com/s/files/1/0430/7343/7845/files/xanenozakakufode.pdf
    • https://cdn.shopify.com/s/files/1/0438/2808/4896/files/asian_buzz_cut_reddit.pdf
    • https://cdn.shopify.com/s/files/1/0429/7054/6335/files/39807248920.pdf
    • https://cdn.shopify.com/s/files/1/0428/9832/5663/files/tituxuruwumi.pdf
    • https://c9080cc6-f320-4400-8454-1a7b355c38a6.filesusr.com/ugd/8d0191_60f45e0175f041a2954be903cef6ddef.pdf?index=true
    • https://83a049b6-1205-4e4d-8618-b973a37055b3.filesusr.com/ugd/804ff6_2520d45dc3ed4d81be1fde056d71db57.pdf?index=true
    • https://8dd1570f-4241-4ed4-a754-aa0ec2248e3e.filesusr.com/ugd/4fea5c_c5c035c4b4874f019935db7b0c082f03.pdf?index=true
    • https://bdf91a7e-3944-49f3-9f13-6ef5b7b08f28.filesusr.com/ugd/29c71c_f8360f48781f49648f7882db159f919b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0004382a.bin
de7510f6a95a333e1c900fd8c2470706ec5a9c8c720d67844cf2d8632261da3a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4382A 34864 bytes
font_00_sfnt_off0003efa6.bin
8e72149c7ce3095aec9cecc072f8a515df207c00aebf785f12c4fc197e954f4b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3EFA6 4068 bytes
font_01_sfnt_off0003fd85.bin
a3bb60ea086532b3982896a9cddd72b3d5700b8d6c9092a91918d8fe11489d20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3FD85 8912 bytes
font_02_sfnt_off00041c1f.bin
837cab570554ad462f94ece7a81748c1335d1b7246f3cdee95d61a245a22664b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41C1F 18032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.