Malicious PDF — malware analysis report

Static analysis result for SHA-256 626c09b47b1e4e5a…

MALICIOUS

PDF

38.4 KB Created: 2020-08-31 08:13:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 84911b61db06891e95b148d8a2c3f0df SHA-1: 16b25fd29251ac8a56e84fa409205890a7338e57 SHA-256: 626c09b47b1e4e5a1e90f5412304569837c2b8dfc991b11bcc5da1e343f968f4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for linking to known malicious redirector infrastructure, specifically the URL https://ttraff.com/wix?keyword=easy+auto+refresh. It also exhibits characteristics of a PDF link farm, embedding numerous other PDF links, many of which are hosted on static.usrfiles.com. The ML classifier strongly flagged this PDF as malicious. While no scripts were explicitly extracted, the nature of the embedded links suggests an intent to lure users to malicious sites, likely for phishing or to download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=easy+auto+refresh
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://static.usrfiles.com/ugd/dc8a8e_272f8c8bff024887a4ae19fd280d6605.pdf
    • https://static.usrfiles.com/ugd/ba3095_baab8ba91c23496f8b9370c511d07e48.pdf
    • https://static.usrfiles.com/ugd/b8c837_82ca98d220124fa3a1cbac718eb95ff2.pdf
    • https://static.usrfiles.com/ugd/f4de5e_af26e2b9bbad4645b61adae85fa13c05.pdf
    • https://cdn.shopify.com/s/files/1/0437/3826/7809/files/dicte_5me_bescherelle.pdf
    • https://cdn.shopify.com/s/files/1/0440/5323/3814/files/petzl_crevasse_rescue.pdf
    • https://cdn.shopify.com/s/files/1/0430/6403/3429/files/35220135329.pdf
    • https://cdn.shopify.com/s/files/1/0430/6858/8185/files/geometric_tattoo_template.pdf
    • https://cdn.shopify.com/s/files/1/0429/9603/9833/files/pefijijuxasukedom.pdf
    • https://cdn.shopify.com/s/files/1/0439/8986/0510/files/10012474441.pdf
    • https://static.usrfiles.com/ugd/576447_1140721ad7344cbeb0f350befc32ffe4.pdf
    • https://static.usrfiles.com/ugd/b8c837_3137da062c8b48e3b358b055b572269f.pdf
    • https://static.usrfiles.com/ugd/b8c837_cb993aec78354c05bc22b84878ffdd64.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d73.bin
65ccbea4c1a24eaaa1f83fe47efc3afe39cca3ceb28326a5b8264e34db7226d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D73 4608 bytes
font_01_sfnt_off00005d36.bin
f2462f02d4fac1c45e8b46effc568d043d943270e44e6dd0a25f5fc04b6ec232		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D36 10092 bytes
font_02_sfnt_off00007f1a.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F1A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.