Malicious PDF — malware analysis report

Static analysis result for SHA-256 663161b18c7f9cf9…

MALICIOUS

PDF

51.9 KB Created: 2020-09-01 03:33:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5b502679b35a3926e3296bd037410c3f SHA-1: 229bfdfe75c3c6fb3d55992fa5d574a097436199 SHA-256: 663161b18c7f9cf9b6da9211da9b2a76f2bd689d2d35f1dee2558e6920a7049c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to external PDF files, forming a link farm. One of these links, 'https://ttraff.ru/wix?keyword=statuses+plural+form', is identified as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting an attempt to direct users to malicious infrastructure. No scripts were extracted, but the presence of embedded URLs and the link farm structure strongly indicate a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=statuses+plural+form
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/b8c837_053c0258328d466fb7a69ceb52b4bdd0.pdf
    • https://static.usrfiles.com/ugd/8cbfce_7a1d879a768f476cacac13b64e967680.pdf
    • https://static.usrfiles.com/ugd/f55bec_c3c1f75247e4402391941791a386679e.pdf
    • https://static.usrfiles.com/ugd/b8c837_76517ad3aae0491997d8781ec65862e6.pdf
    • https://cdn.shopify.com/s/files/1/0432/7184/8100/files/50900600977.pdf
    • https://cdn.shopify.com/s/files/1/0432/5474/3200/files/online_games_addiction.pdf
    • https://cdn.shopify.com/s/files/1/0432/6899/7288/files/eliciting_information_from_multiple_experts.pdf
    • https://cdn.shopify.com/s/files/1/0435/2222/8376/files/susep.pdf
    • https://cdn.shopify.com/s/files/1/0429/9964/4314/files/49235432938.pdf
    • https://cdn.shopify.com/s/files/1/0432/4104/6171/files/47422348258.pdf
    • https://cdn.shopify.com/s/files/1/0437/9217/1165/files/mefajebajuriripefiketuzi.pdf
    • https://cdn.shopify.com/s/files/1/0440/2721/6037/files/kpekler_iin_bira_mayas_ve_sarmsa.pdf
    • https://cdn.shopify.com/s/files/1/0432/3105/1943/files/49453957159.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d20.bin
216e8bd6b8fd4a25f6af73d1cd7d521c180b0fa50fc61fc5817d69c21d464031		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D20 3904 bytes
font_01_sfnt_off00006b14.bin
34e6a5b299c58033d908b2617c022137b70f9456cd9d9f535ec80973a5cf3531		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B14 5148 bytes
font_02_sfnt_off00007c7e.bin
80ba44bd5e3323505b24572b1d21a0891f11f1af1a7bed00d6207e13bf7541bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C7E 12032 bytes
font_03_sfnt_off0000a423.bin
0085243bee1fbc7b0616a4de5b8019a0ff91d144e2cdc8826a3ce4086d610d64		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA423 18900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.