Malicious PDF — malware analysis report

Static analysis result for SHA-256 6494869780894d31…

MALICIOUS

PDF

90.3 KB Created: 2020-09-20 02:56:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a7a0f2a7922048713a500814c75bc32e SHA-1: 8d69b0672bac016a8e5ee4812d2aaa93f9ce7aa2 SHA-256: 6494869780894d3129c3d25cadba04f3f260293c75ce7fd0e442dbe05a638bf4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, pointing to 'https://ttraff.me/wix?keyword=best+way+to+train+summoning'. The document body, though heavily obfuscated, contains a similar URL, suggesting the primary purpose is to redirect users to malicious infrastructure. The PDF also contains a large number of external links, flagged by PDF_SEO_LINK_FARM, indicating a potential link farm or spamming operation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=best+way+to+train+summoning
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://561013f6-0a80-40c2-b9b8-44af8fefbac9.filesusr.com/ugd/a4c1fa_38d3100277194526932575131fd42a9b.pdf?index=true
    • https://f633266c-97d5-444e-b094-c03de74e256d.filesusr.com/ugd/ebc5f9_30f8addea3bc4e0aa53cd988d4d345b3.pdf?index=true
    • https://2f4e95ad-92f7-49bd-a305-ba76163aeaae.filesusr.com/ugd/debbe1_d211766d1e0c4807b28b62d2ab7e51c6.pdf?index=true
    • https://b47c7718-0949-4857-ad7c-37dd6d6212a0.filesusr.com/ugd/bb05c1_15bcacc113f7414f9513d7c9dadf8775.pdf?index=true
    • https://ff91c90a-24cf-43d5-98d2-a992cfe2cfa1.filesusr.com/ugd/2ddd39_7fd4704bea694c7281f5005ca1283731.pdf?index=true
    • https://af515ab5-cf09-45e0-a83e-119793525d67.filesusr.com/ugd/3ceeb9_56faf643200c4d7a97602dfa366f9390.pdf?index=true
    • https://b180f40a-4f13-4971-8ac2-40271c1487d7.filesusr.com/ugd/eaf48f_eca73816abf04806b598709a4288be33.pdf?index=true
    • https://aca36667-614a-435e-aa50-6ec7eef4191a.filesusr.com/ugd/80c1db_7ef6aaeb7aa34fa1b9e9067a7cac2e9c.pdf?index=true
    • https://6997c54c-8fce-4620-9751-ca207fb7e855.filesusr.com/ugd/1a1092_3a90d1db0dc94159a4fbb0a6a497f504.pdf?index=true
    • https://8c55a388-8220-452f-8201-d1e1e8c7fce5.filesusr.com/ugd/bdc04d_ebb175a06f374dd48f124b33c20e0a3a.pdf?index=true
    • https://c87fe5eb-bccf-4e0f-b79b-2788f301826a.filesusr.com/ugd/23b571_41d1efa8301642178765c386a1df8a5b.pdf?index=true
    • https://832c5936-2422-4aca-bb36-7cd56bdfaa09.filesusr.com/ugd/e50c99_a484ba21c1f646aabe8b6b9af399c331.pdf?index=true
    • https://89e22aae-564f-4d1d-8aa6-c73ec64ab26f.filesusr.com/ugd/3bcfef_199595e0f4c9423ea0826bd68d250606.pdf?index=true
    • https://8f16416f-7148-4602-9f6b-df27f0a4b980.filesusr.com/ugd/d9f7b5_e75fd718d5a0485bbdbe6416d89678bd.pdf?index=true
    • https://537495e7-53a1-4c21-b06d-075e98f9725f.filesusr.com/ugd/d2cc1f_0157417db81b45bea611b2f61bff8b22.pdf?index=true
    • https://959617ed-2e33-41e7-991c-3125223121f3.filesusr.com/ugd/585b1d_aef70067b49147f2a86507affb0026ec.pdf?index=true
    • https://0cc12e91-eb53-4aa1-9e61-830e49df4f1b.filesusr.com/ugd/c67d0c_bcb8882bff624e7e8d47132101272aca.pdf?index=true
    • https://22442c9a-84b7-4e8f-b61d-2860be89e542.filesusr.com/ugd/d63aaf_27eb380621b3457dafe74697c5e5971a.pdf?index=true
    • https://4a2110eb-beca-4b83-bcb8-93c5685d2770.filesusr.com/ugd/95089d_3b3ff7c54aee4dacb08f430b3e3f5da4.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011d14.bin
3e98c02a610f8873be2adde226d62e80bb2e1d5b8dda84d616db36f5dcf9770a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D14 5216 bytes
font_01_sfnt_off00012ed9.bin
2af7c0d73e5634585df99718217c9fb28633cd2200f0e9badfe3736b60058bf5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12ED9 14268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.