Malicious PDF — malware analysis report

Static analysis result for SHA-256 682e251d79488fb8…

MALICIOUS

PDF

119.5 KB Created: 2020-08-13 15:40:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2c43118afe08a2b4c05af27752214271 SHA-1: 7928bd44e00807bb26dbf4eaf1f8fa8fd675eb4d SHA-256: 682e251d79488fb8c80886b6b502833f7ff61d2c7ddd026156eec99ba0a1e2e1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, ttraff.com, which is designed to lead users to malicious content. The document body, though heavily obfuscated, contains the same URL, suggesting an intent to trick the user into clicking it. The presence of a large number of external PDF links further indicates a link farm or SEO manipulation tactic to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=alman+dili+5+ci+sinif+pdf
    • http://rerunu.creativecakeatiers.com/uploads/1/3/0/7/130738884/dewewuris.pdf
    • http://files.synbim.co.uk/uploads/1/3/1/4/131438899/236290.pdf
    • http://files.cashanafrica.com/uploads/1/3/1/4/131454255/1f13b8c3411a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0435/7813/0593/files/jimubolowuvodizirekex.pdf
    • https://cdn.shopify.com/s/files/1/0433/4944/2713/files/76592908442.pdf
    • https://cdn.shopify.com/s/files/1/0431/6174/7605/files/17871708579.pdf
    • https://cdn.shopify.com/s/files/1/0435/5335/7985/files/amd_radeon_hd_5450_driver.pdf
    • https://cdn.shopify.com/s/files/1/0435/8730/5629/files/jekexij.pdf
    • https://cdn.shopify.com/s/files/1/0431/6276/3425/files/wrinkle_in_time_graphic_novel.pdf
    • https://cdn.shopify.com/s/files/1/0430/1655/2605/files/gakanapoxoxi.pdf
    • https://cdn.shopify.com/s/files/1/0428/7257/0012/files/59576669396.pdf
    • https://cdn.shopify.com/s/files/1/0430/6750/6849/files/rumupimep.pdf
    • https://cdn.shopify.com/s/files/1/0432/8561/0654/files/woritojofip.pdf
    • https://cdn.shopify.com/s/files/1/0433/5098/2821/files/35447549864.pdf
    • https://cdn.shopify.com/s/files/1/0436/4976/1433/files/acuerdos_comerciales_preferenciales.pdf
    • https://cdn.shopify.com/s/files/1/0429/9145/2314/files/84313036808.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017dfa.bin
bb6a1ee66fc24a1a1e218bb807fba1c538c3b337dee0e6fc267aae00cf29dd6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17DFA 5316 bytes
font_01_sfnt_off00018ffe.bin
ebeabaf69e011e134b65fee59ccc50c424f59be28345da8a5719f56f2036253c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18FFE 14516 bytes
font_02_sfnt_off0001bc7b.bin
d1a84ba8f0e4a827a048d387db8dd5dae3538f1c7e72415b16af587a9947cdc7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BC7B 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.