Malicious PDF — malware analysis report

Static analysis result for SHA-256 68ff5afc51fcf1af…

MALICIOUS

PDF

39.9 KB Created: 2020-09-19 01:49:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4913d3d69f93e5c8d1839ecf9ab438ba SHA-1: d951f3255216313e20c3eff42680f60047cd490b SHA-256: 68ff5afc51fcf1af09b3dad3ee392595a111e81313f8d7bdfb5d3e460a78d29a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous embedded links, with one identified as a malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_LINK_FARM' indicate a deliberate attempt to direct users to potentially harmful sites. The ML classifier also strongly flagged this PDF as malicious. The embedded URL 'https://ttraff.club/wix?keyword=sword+manual+commands' is the primary IOC, likely leading to a phishing or malware distribution page.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=sword+manual+commands
    • http://nadefefi.karensnovels.com/uploads/1/3/1/6/131606592/fomogaligenopeb.pdf
    • http://niwipedeg.wendybowers.co.uk/uploads/1/3/1/6/131606419/vefivumotel.pdf
    • http://fevid.sonus-pedals.com/uploads/1/3/1/4/131406893/genosi_fokuliginebuku_xamitujoroviv_sutemomuluxuf.pdf
    • http://files.solutioncraft.org/uploads/1/3/1/3/131397946/sokifox.pdf
    • http://safebeku.italyoptical.com/uploads/1/3/0/8/130874612/1446533.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://dbfe74e6-1f72-4096-a313-653550049e2b.filesusr.com/ugd/a891c0_82e8aec9c46f4861a5b1b0f9a78fa88f.pdf?index=true
    • https://e8bd4850-a670-4052-a465-d6866e3245ce.filesusr.com/ugd/5360f8_749a34bc709449d6a7df7ae0cd78c0ab.pdf?index=true
    • https://4604ffb2-48f8-4bf3-b06d-2fe51a044b88.filesusr.com/ugd/89c6ad_d6a73deadac142248d9a7d1fea776727.pdf?index=true
    • https://a5ddd0e3-8f54-4537-92b6-1b11bac4859c.filesusr.com/ugd/599026_93a52b7d2be042d2a7c9137564fd9912.pdf?index=true
    • https://60527943-01a3-4514-968e-ceea177822ec.filesusr.com/ugd/12dc78_e825820fbac04c5c91e77f672982ac43.pdf?index=true
    • https://3fb4d816-20a3-4bd2-8832-1f0ef605ed25.filesusr.com/ugd/28b3f7_cde2e5babb904b96b2c44cc5acada26f.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0428/0690/2950/files/advantages_of_solar_energy.pdf
    • https://cdn.shopify.com/s/files/1/0428/7679/7081/files/85901374759.pdf
    • https://cdn.shopify.com/s/files/1/0483/8673/6286/files/maroxabukowobunik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f14.bin
1bb33eed2436ce838d0c5f0eda0e2417a670804887f6fff38da26ae256a7db91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F14 5280 bytes
font_01_sfnt_off000070fc.bin
5c8584f46e0b60bb6c9ac18dcd605c8b0c79ce5f66b1ee037845bed72cc8c988		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70FC 10068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.