Malicious PDF — malware analysis report

Static analysis result for SHA-256 68351d1ede59f63d…

MALICIOUS

PDF

66.7 KB Created: 2020-09-16 15:44:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8431c9e38bd16e5f729613ff329004da SHA-1: 497d38ff9be929450e157f3dc9f3f03c4bd364ad SHA-256: 68351d1ede59f63d5cb5c44afe1e858539f59682a2ca66fe976f13768d51a304
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=formal+and+informal+reports+examples'. The document body, though heavily obfuscated, contains this URL and text suggesting it's a report example, indicating a lure. The presence of numerous external PDF links, many pointing to benign Shopify URLs, suggests a link farm or SEO manipulation tactic to mask the malicious redirector. No scripts were extracted, but the primary threat is the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=formal+and+informal+reports+examples
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/7511/6961/files/powerflex_70_manual.pdf
    • https://cdn.shopify.com/s/files/1/0428/7198/0198/files/fufezolaremuwikizitavekak.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/galuta.pdf
    • https://cdn.shopify.com/s/files/1/0434/7507/5225/files/anglo_saxon_period_in_urdu.pdf
    • https://cdn.shopify.com/s/files/1/0463/6652/3547/files/zinus_platform_bed_replacement_screws.pdf
    • https://cdn.shopify.com/s/files/1/0428/1883/0492/files/91283537772.pdf
    • https://cdn.shopify.com/s/files/1/0429/6943/2230/files/vetamuvemuwizipalunen.pdf
    • https://cdn.shopify.com/s/files/1/0428/2620/3302/files/zovalovofure.pdf
    • https://aeacac57-82f6-48db-af0c-cd17eb07d15a.filesusr.com/ugd/3225da_acae7881031c4761a38d917cd0a42052.pdf?index=true
    • https://17ff2cc3-2cec-49ca-aeed-8a8503863754.filesusr.com/ugd/143c98_fed07c01df634489b35ed1bd6368e3e1.pdf?index=true
    • https://5e56369d-8470-4b3a-b718-402f51fb4ee0.filesusr.com/ugd/ceb2e8_f85d55e59bce401e92d0db328d7be43a.pdf?index=true
    • https://fb8e10f4-1354-4b64-84c4-40b0c32f6d07.filesusr.com/ugd/eb6612_45a9524f9f8d462cb7e1e5b77ac47ef0.pdf?index=true
    • https://6354af5d-3f82-47ff-8457-662f1616d3d1.filesusr.com/ugd/e643da_552f29e52a2b4c07bddd646d0dfe80e2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c74c.bin
19220d8c676f7d33f06ef097a165f7b3f292198974897ed53361a5b7e3cd8aeb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC74C 5208 bytes
font_01_sfnt_off0000d8f2.bin
af2e76e420f798b85b022eeb1022c1af8b7d7a4a38a33b7dde6d93cb6e1747ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD8F2 10748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.