Malicious PDF — malware analysis report

Static analysis result for SHA-256 678ec838c7bd303d…

MALICIOUS

PDF

53.7 KB Created: 2020-09-19 08:52:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e4d91e40533dd6aa9c51c05c77711462 SHA-1: e3482a28585bf93f1bf3646a2b6c2f60b993d98d SHA-256: 678ec838c7bd303df06584b72b6de22c8b9f08ab088753d068b5777723b975e3
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a mass of external links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.club/wix?keyword=gta+apk+mod+hack', suggesting a lure for users interested in game hacks. The presence of numerous PDF links and the ML classifier's high confidence score indicate a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=gta+apk+mod+hack
    • http://files.divorcecoachingandconsulting.com/uploads/1/3/1/4/131437669/4f67cf.pdf
    • http://nulefasu.enterhisgatescamp.com/uploads/1/3/1/4/131453718/wuworunoke.pdf
    • http://jekekuko.spencer-amaral.com/uploads/1/3/2/8/132814930/ronutowu-kenafenoxigok-gudonalogar-ruzigarowod.pdf
    • http://files.mshansonsclass.com/uploads/1/3/1/4/131406344/681b5d4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b117cd0c-bba2-4434-8ab5-eb1152089d2a.filesusr.com/ugd/c5d40f_88e2b70646e24bf197b895458284da16.pdf?index=true
    • https://260c0c0d-faff-417d-a815-cb7fad8dae3f.filesusr.com/ugd/64e449_1a86dfcc134b46eb9aa30253400a73e3.pdf?index=true
    • https://176cfaf0-a0d0-4878-8fed-cf834edf32dd.filesusr.com/ugd/8e1900_706e60e08cfc42878c5bfc337401e763.pdf?index=true
    • https://edda0dce-40cd-4144-a8a4-a3953db95528.filesusr.com/ugd/dcc11b_9538df44e1ea4eacacf9ce9c092d69ed.pdf?index=true
    • https://54e1f206-d4db-4a25-ad6f-e82d831e6ab0.filesusr.com/ugd/0d089b_3bcfdb06fa55411ca625a95418859cbf.pdf?index=true
    • https://2013bc58-e181-40de-a34e-906ef06e9a3f.filesusr.com/ugd/e5a943_3be97569eeed4582b59f78f3426ec8ab.pdf?index=true
    • https://d040c1e1-1bbb-48fc-8e9a-9f6eb24df617.filesusr.com/ugd/a421e3_3ec84c59ab15474dad3796afffc606c5.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0438/6196/7013/files/pusoreforox.pdf
    • https://cdn.shopify.com/s/files/1/0431/5725/8401/files/m._a_english_date_sheet_2019_bzu.pdf
    • https://cdn.shopify.com/s/files/1/0436/1990/9794/files/nozezevowasubuvuw.pdf
    • https://cdn.shopify.com/s/files/1/0430/7727/1716/files/bufilapawekopebe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007efe.bin
67e3059e8fed1d7db16911f6bfa4881bb69f7289c70841e9943713774c737241		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EFE 5100 bytes
font_01_sfnt_off0000903c.bin
dde918b5f814b7eac6aee8a31f0b9e7ce902ea7d3b5d22e8dfb6c20122b9f164		 pdf-font-stream PDF embedded font (sfnt) at offset 0x903C 10176 bytes
font_02_sfnt_off0000b353.bin
1fc7e768cfa51450d2492da245546f565077e5f72aec101002ea06b0a324bc82		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB353 16660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.