Malicious PDF — malware analysis report

Static analysis result for SHA-256 62c33e9df27f3910…

MALICIOUS

PDF

48.6 KB Created: 2020-08-09 01:50:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e76c4b8b9478cfc38d2dbb0f91b91d9a SHA-1: d9ce3020d61869be3f138dab622512d7665ad084 SHA-256: 62c33e9df27f3910510071e03dcbc2d1485327988a49ef9001d0d846b235e3ec
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, including one to a known malicious redirector at ttraff.com. It also exhibits characteristics of a link farm, suggesting an attempt to generate traffic or distribute malicious content. The presence of a 'download' button lure further supports a malicious intent to trick users into clicking on potentially harmful links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=dictionary+download+free+pdf
    • http://files.saint-paul-maltese.com/uploads/1/3/0/7/130775435/rufasozapeli_mixex_saxejisitebemes.pdf
    • http://xitekorir.klbavarianwaxart.com/uploads/1/3/0/7/130739227/gugak.pdf
    • http://files.synergisticma.com/uploads/1/3/1/3/131383825/2642393.pdf
    • http://files.gordenstaxservice.com/uploads/1/3/1/3/131383743/f03d7d.pdf
    • http://files.vedajess.com/uploads/1/3/0/8/130813108/zagiwum_vukolonepezeje_nugipefubuzowu_pomafonipe.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0435/2868/3672/files/seniv.pdf
    • https://cdn.shopify.com/s/files/1/0431/0951/5425/files/39315529138.pdf
    • https://cdn.shopify.com/s/files/1/0431/5296/5792/files/63254032317.pdf
    • https://cdn.shopify.com/s/files/1/0431/5955/2155/files/warcraft_3_patches.pdf
    • https://cdn.shopify.com/s/files/1/0430/9975/0560/files/reddit_gw_cumslut.pdf
    • https://cdn.shopify.com/s/files/1/0435/3314/0127/files/94192713485.pdf
    • https://cdn.shopify.com/s/files/1/0434/6393/4109/files/93745957625.pdf
    • https://cdn.shopify.com/s/files/1/0427/9002/7430/files/el_aprendiz_de_brujo_grimorio_gratis.pdf
    • https://cdn.shopify.com/s/files/1/0437/1965/5579/files/56538567720.pdf
    • https://cdn.shopify.com/s/files/1/0434/9739/0244/files/3509154817.pdf
    • https://cdn.shopify.com/s/files/1/0431/4172/6370/files/21257489705.pdf
    • https://cdn.shopify.com/s/files/1/0439/3258/2056/files/pofisiwexetarorezer.pdf
    • https://cdn.shopify.com/s/files/1/0431/8131/0114/files/regurir.pdf
    • https://cdn.shopify.com/s/files/1/0432/2636/6111/files/83364821695.pdf
    • https://cdn.shopify.com/s/files/1/0435/1403/6376/files/23878825090.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e68.bin
022bf45350433cc5929de8106d74dae5e8aaa1dd0d1e65f27d89cc89643fdda2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E68 5164 bytes
font_01_sfnt_off00007026.bin
29377ee47891eb3508e55e70d91a25bc9b2c8e878e2a9688fbc888a97a27e54b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7026 4872 bytes
font_02_sfnt_off00007d94.bin
a376f47ef00a8c814dcce856c32853cfc6c9357309099d05cfd36e32508068cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D94 10104 bytes
font_03_sfnt_off0000a049.bin
9559dd1bd908241551916101fda3d445a26f5c4b506a1423f23393456f9d5940		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA049 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.