Malicious PDF — malware analysis report

Static analysis result for SHA-256 6126d2abf2abdced…

MALICIOUS

PDF

40.5 KB Created: 2020-09-04 09:15:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9d36600f8b719717da06ba3cbdb4ad97 SHA-1: 61a01501aedad3e90de7972c9398eba67a202d27 SHA-256: 6126d2abf2abdced31343661c6bb21de2f5a79db199266c65add53c460be2d08
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a large number of embedded links, many of which point to benign content, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.link/wix?keyword=advanced+english+level+test+pdf', suggesting a lure to a phishing or malware distribution site. The presence of embedded JavaScript, indicated by the ML classifier and heuristic firings, likely facilitates the redirection or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=advanced+english+level+test+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://static.usrfiles.com/ugd/1d64af_f3d07bf74a174217b9598452881b76d4.pdf
    • https://static.usrfiles.com/ugd/a48928_53017874d5aa41198a94a5ac3c8ff5c8.pdf
    • https://static.usrfiles.com/ugd/fb41f9_db88020f0b6f455989dcbd9938de6b78.pdf
    • https://static.usrfiles.com/ugd/5f5755_52ae1c7007d74c1f9eae6331147f230a.pdf
    • https://static.usrfiles.com/ugd/c75f60_d797d41a518547b4aff8208f51911677.pdf
    • https://cdn.shopify.com/s/files/1/0437/7791/7085/files/brand_ladder.pdf
    • https://cdn.shopify.com/s/files/1/0429/2624/3996/files/47532716835.pdf
    • https://cdn.shopify.com/s/files/1/0432/5241/6672/files/27756317037.pdf
    • https://cdn.shopify.com/s/files/1/0428/7443/7791/files/what_does_ily_mean_in_text.pdf
    • https://cdn.shopify.com/s/files/1/0435/8832/1438/files/onenote_android_dark_mode.pdf
    • https://static.usrfiles.com/ugd/b48b60_ad80304d6a18470c8fb69a1c382ab49a.pdf
    • https://static.usrfiles.com/ugd/b8c837_f035972904dc4f688e7143e1609cbd03.pdf
    • https://static.usrfiles.com/ugd/55f640_4abad083fe6548bc8b9ff9ad5cba535f.pdf
    • https://cdn.shopify.com/s/files/1/0434/8038/3653/files/rarajukuzelovilexopul.pdf
    • https://cdn.shopify.com/s/files/1/0429/0999/1075/files/49242956980.pdf
    • https://cdn.shopify.com/s/files/1/0437/6982/3390/files/dermot_kennedy_outnumbered_piano_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0431/6141/9927/files/vesuwobefomed.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/55166802931.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005322.bin
396980add142851371d7fe96c643ca045f9bfe778deee9a2c07f25459a439247		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5322 5048 bytes
font_01_sfnt_off00006455.bin
ad701ae3f2270f6812bfc0f4161a544e762d21e0a441a2cfc6ad3108c179dc6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6455 10108 bytes
font_02_sfnt_off000086dd.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86DD 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.