Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f8eee06ef95b18a…

MALICIOUS

PDF

39.3 KB Created: 2020-09-02 02:09:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 494e78da961e0cc9628e0e229484a525 SHA-1: d91bf3d35d9ea148da06e16abf2361615af564eb SHA-256: 5f8eee06ef95b18a310948f041014e3b8a9c8698d7ad34e8da026239c6bacc0e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs, many of which point to a link farm designed to appear as a resource for PDF documents. The primary URL, https://ttraff.me/wix?keyword=street+fighter+ex2+apk+android, is flagged as a malicious redirector. This suggests the document's purpose is to drive traffic to malicious infrastructure, likely for malware distribution or phishing. No scripts were extracted, but the structure and embedded URLs strongly indicate a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=street+fighter+ex2+apk+android
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/b8c837_3c241bf2bd904e6089d9dccdb7324562.pdf
    • https://static.usrfiles.com/ugd/2ac701_a1262587b9b445a6a904abf97d117d13.pdf
    • https://static.usrfiles.com/ugd/b8c837_810fe72510334c9dab066ae399dc5e42.pdf
    • https://static.usrfiles.com/ugd/5af86b_2f2f3d10be684b468cbcee3521fab69c.pdf
    • https://static.usrfiles.com/ugd/0c4177_720f000fbf954e5eab8839de0c745111.pdf
    • https://cdn.shopify.com/s/files/1/0431/8547/1656/files/33012117.pdf
    • https://cdn.shopify.com/s/files/1/0431/0482/9602/files/93352500408.pdf
    • https://cdn.shopify.com/s/files/1/0435/5453/7624/files/dinoxasuve.pdf
    • https://cdn.shopify.com/s/files/1/0449/3521/7307/files/free_website_templates_bootstrap.pdf
    • https://static.usrfiles.com/ugd/9cfd0a_51cc1ef145074bf785e2d60112a63146.pdf
    • https://static.usrfiles.com/ugd/fbccce_43208e7815bd43058bda0f2e6299ebfc.pdf
    • https://static.usrfiles.com/ugd/c6ac46_fb330ca04e3c4328854199404ff2e28a.pdf
    • https://static.usrfiles.com/ugd/b910ae_dbf7e972655e49e59f6db16aa4eefffe.pdf
    • https://static.usrfiles.com/ugd/5b604d_015d57b5145e46f3ac4bc1236d12f543.pdf
    • https://static.usrfiles.com/ugd/bca722_a4d2867210cd4434be2e80fc0a1b2af5.pdf
    • https://static.usrfiles.com/ugd/be19e1_dc1ccbc27b59423fa655c2809a01ba26.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000596b.bin
f5c202327509e6fc8c0dcd4b9a1d8305a3c3ee22761dd528d4e54db7e974f310		 pdf-font-stream PDF embedded font (sfnt) at offset 0x596B 5460 bytes
font_01_sfnt_off00006bfd.bin
a26cd9bddb0684f179a2b0b75133cc67fe378ce8bc330dcc46f59184679fd4e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BFD 10128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.