Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f682d499de4bf05…

MALICIOUS

PDF

37.0 KB Created: 2020-09-21 12:49:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b0ff5d9f5d876a1c11cb7b0ffbb69fab SHA-1: 32e56814438cb2e4d0f68820e4426c756284a9bf SHA-256: 5f682d499de4bf055f5ae2ee7d86689e72344274278c786b72d61871fde990a8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one identified as a malicious redirector pointing to 'https://ttraff.club/wix?keyword=ninja+ultima+blender+parts'. The document body, though heavily obfuscated, contains text related to product names and the authoring application, suggesting a lure. The presence of a link farm heuristic further indicates an attempt to distribute malicious content or traffic. No scripts were extracted, but the PDF structure itself facilitates the malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=ninja+ultima+blender+parts
    • http://desil.thegreenmedicineshop.com/uploads/1/3/0/8/130814328/logakip_vares_kegazajezuri.pdf
    • http://dovexupo.fffurther.nl/uploads/1/3/0/9/130969932/a41f92c08.pdf
    • http://files.rumble-records.com/uploads/1/3/1/4/131437307/migase.pdf
    • http://files.sanitasforexpats.es/uploads/1/3/0/8/130874330/1451409.pdf
    • http://files.brannmanndan.com/uploads/1/3/0/8/130874148/7b5cc6a1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a42572c6-129b-497e-8141-5c18363e8c3d.filesusr.com/ugd/837d34_fc30a0675f1d4d26a969251756298d9e.pdf?index=true
    • https://8418dbf5-36b9-4f69-ad75-70f011b57f2d.filesusr.com/ugd/9219f8_814b3693972346c2a82ca4506c4d973e.pdf?index=true
    • https://a2301252-c833-44e4-b31c-c56a5c56e59d.filesusr.com/ugd/10b11f_2c3abb1798f4444b803acac20338f402.pdf?index=true
    • https://846fd258-dd31-41c1-bbd0-3e8cfc384814.filesusr.com/ugd/a9e086_7a64cdcea7b24a35a9a1346238c41354.pdf?index=true
    • https://d5ef3fa8-a3b2-49b6-bb1a-0898fa4a3d7b.filesusr.com/ugd/bd7df1_834c9eb39066488893744c61172948e6.pdf?index=true
    • https://0f8bf443-ae59-4443-9b9c-2e6e8b4c87e1.filesusr.com/ugd/cb4a18_03a32310526d4b4285d25d916295697c.pdf?index=true
    • https://f9b174c4-0c20-4574-be27-511bac372d1e.filesusr.com/ugd/a42eed_dcd5b7bbd434498a8ee3f0582e67bb07.pdf?index=true
    • https://33a58ec2-9889-4082-9272-011ebeeab7b8.filesusr.com/ugd/6a4619_d11101ffdc29438897e0a3f48945f47b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000050a8.bin
27c4bba0f20a57e029d325d8acd9262d439072e606ccd8acfb64c7a726f6d5f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50A8 5288 bytes
font_01_sfnt_off00006285.bin
1d6ee54ce11d0ffb53d044f416e7eda4987d9dbc7cf390c88fb41169c6933192		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6285 10764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.