Malicious PDF — malware analysis report

Static analysis result for SHA-256 650de6a63ff0addf…

MALICIOUS

PDF

46.9 KB Created: 2020-09-05 10:00:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04e45ed8c7c57b9fe7281fbb96971024 SHA-1: 3c69bc1f0a9b9e7c65bd835cdbc7b64ccb698e02 SHA-256: 650de6a63ff0addf37234e72600f313dd8cbfb77879d6f87ac01e037b6fc5a62
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF document contains a lure for an advance-fee scam, presenting itself as interview questions to encourage users to click embedded links. The primary link, 'https://ttraff.club/wix?keyword=interview+questions+and+answers+on+java+spring', leads to a known malicious redirector. The document also contains a large number of links to other PDFs, suggesting a link farm for SEO manipulation. No scripts were extracted, but the presence of malicious links and the advance-fee scam lure indicate a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=interview+questions+and+answers+on+java+spring
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/55cc32_cfc3881099424ea097552c4e696296e3.pdf
    • https://static.usrfiles.com/ugd/d31907_10af7bb4e0524dafa5c9e2f003a2ba98.pdf
    • https://static.usrfiles.com/ugd/4c7633_2d9f96f8d2af4f5b873a5c9fdebd8320.pdf
    • https://static.usrfiles.com/ugd/756799_eee656adda894b7cb9fc59ca64546398.pdf
    • https://static.usrfiles.com/ugd/ac0094_b905f561070f499896573d9c7deca437.pdf
    • https://static.usrfiles.com/ugd/430cb2_682dccf0aec74cb29d5e8f80850ff932.pdf
    • https://static.usrfiles.com/ugd/fb41f9_ef8dfe4bf6ed4086b3f40b342d483638.pdf
    • https://static.usrfiles.com/ugd/3ab5ed_8877e8d09ba54d9da385164124890dcd.pdf
    • https://static.usrfiles.com/ugd/f459ea_bc8d47f56b554e93b66dc195f48e9b0a.pdf
    • https://static.usrfiles.com/ugd/b8c837_2803fc05dab84343b08fa42b98065201.pdf
    • https://static.usrfiles.com/ugd/4117a9_9119a759982e4e29abba1e09bda25488.pdf
    • https://static.usrfiles.com/ugd/ea5d7b_d5e3df3426594e2095e816c51dff3b5b.pdf
    • https://cdn.shopify.com/s/files/1/0428/2328/6951/files/boska_komedia_pieko.pdf
    • https://cdn.shopify.com/s/files/1/0452/0207/9893/files/android_10_tv_box.pdf
    • https://cdn.shopify.com/s/files/1/0430/0092/2261/files/40142628359.pdf
    • https://cdn.shopify.com/s/files/1/0434/6845/6088/files/pufojupivedolamuzikonax.pdf
    • https://cdn.shopify.com/s/files/1/0431/7950/7870/files/avneet_kaur_song_pagalworld.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007961.bin
5de0a12085f627eaabe97e8f3b688cecafb1933876e08811afb2c37f9dac3af1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7961 5388 bytes
font_01_sfnt_off00008bd6.bin
563737de63375a71970c1897a7b204f872bcf888c087892f6682431f6fbaba3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BD6 10076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.