Malicious PDF — malware analysis report

Static analysis result for SHA-256 67aa69aab1b8bf0b…

MALICIOUS

PDF

64.4 KB Created: 2020-08-31 21:56:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2a27fd884891ecd4ba1c7a140d6eaa33 SHA-1: 0232aea39b8c50a107da4cef65c8388ef8e34000 SHA-256: 67aa69aab1b8bf0b79bb256976a096da6a893cd034f40832e303d864c79f7d8b
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it is a malicious redirector and an advance-fee scam lure. It embeds numerous links, with one pointing to known malicious infrastructure. The document body, though partially corrupted, contains the URL 'https://ttraff.me/wix?keyword=c.+b.+s.+e+of+full+form', which is flagged as malicious. The presence of many external PDF links suggests a link farm or SEO manipulation tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=c.+b.+s.+e+of+full+form
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fedorahosted.org/lohit
    • https://static.usrfiles.com/ugd/3ceeb9_8a0df52db7944bdaa6bd251a58ce62bb.pdf
    • https://static.usrfiles.com/ugd/b8c837_b6cccc870f9d4dd9aee253b8d896ca6d.pdf
    • https://static.usrfiles.com/ugd/19103d_4d5b49fd804545ee9eb0ba99c2b42680.pdf
    • https://cdn.shopify.com/s/files/1/0432/2341/6995/files/dollar_general_drug_test.pdf
    • https://cdn.shopify.com/s/files/1/0448/4169/7441/files/cauchy_sequence.pdf
    • https://cdn.shopify.com/s/files/1/0430/1671/6437/files/deogratias_a_tale_of_rwanda.pdf
    • https://cdn.shopify.com/s/files/1/0434/8513/5014/files/waxugat.pdf
    • https://cdn.shopify.com/s/files/1/0433/2643/9582/files/97154428164.pdf
    • https://cdn.shopify.com/s/files/1/0435/9480/9507/files/sezejanef.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/39843759369.pdf
    • https://static.usrfiles.com/ugd/a01749_59ae47b120bb4e05a1b2ee40d618cca0.pdf
    • https://static.usrfiles.com/ugd/374ce0_00106995a15e43abad3b6f33eb66e219.pdf
    • https://static.usrfiles.com/ugd/b8c837_ab76910009f1403cb19aff60a750fa02.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009bdb.bin
3dba1d5c1544d0563235f141551cafbbd62749ea9f4025abe4af4c1534806711		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BDB 4544 bytes
font_01_sfnt_off0000ab4e.bin
4c4219d3da37812080ccf13bfd23934b5771182dc7d1ea03f999ecc83e4dcb9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB4E 10592 bytes
font_02_sfnt_off0000cf46.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF46 4324 bytes
font_03_sfnt_off0000dd46.bin
924a71d6cd4a8f7216e5f3cd4f8d696a66824134df9fb284d04ef2eab1e51535		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD46 6732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.