Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bc9ff91ef34c118…

MALICIOUS

PDF

45.1 KB Created: 2020-09-21 02:55:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6ac0c0a801863d868760be999c13aeaf SHA-1: 82b2bce35be1b582e2d0a9b55e3b034217822059 SHA-256: 6bc9ff91ef34c1182c56107ca586904a58d91ba46c4ca6d96048f4b9c4a42164
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm and a redirector to malicious infrastructure, identified by the heuristic PDF_MALICIOUS_REDIRECTOR_LINK. The document body, though heavily obfuscated, contains the URL https://ttraff.club/wix?keyword=eleven+madison+park+number+one+restaurant, which is likely part of an advance-fee scam lure. The presence of numerous embedded links suggests an attempt to direct users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=eleven+madison+park+number+one+restaurant
    • http://xufos.littlelifecorner.com/uploads/1/3/1/0/131070036/sewepetizeni.pdf
    • http://fokebifi.michelacarmazzi.com/uploads/1/3/1/0/131070152/xagozububevo.pdf
    • http://zajaxaxo.cambcollege.com/uploads/1/3/1/1/131164128/sokef_tasudesemupudux_rokurodi.pdf
    • http://files.nortonshoresparks.org/uploads/1/3/1/6/131606201/fasebazax-luradiwi-wobuj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://87c9125b-3bc6-4ebf-b1b0-8ccc7c6b19d5.filesusr.com/ugd/f95141_c45c6de22f624be78a5abcf2ad8b9d10.pdf?index=true
    • https://49cbe3aa-b56f-4e1b-982e-82040afd9f5e.filesusr.com/ugd/74e905_ceec31e78b22404d92fbe0d9c64606e6.pdf?index=true
    • https://1e1ab1e3-32ba-4157-9ac9-26a36ef5f217.filesusr.com/ugd/16a96a_d983c59f32884eae95beab9fc378eec0.pdf?index=true
    • https://f28272a7-8f41-498a-9ed2-956a98fe81ff.filesusr.com/ugd/c81504_ef40941aacdd481eb779498c7e9c5569.pdf?index=true
    • https://75c058a0-251d-45cf-81c1-a4983c5603d6.filesusr.com/ugd/cf9ff1_f10326d00f26480fa35cf691185af31e.pdf?index=true
    • https://9c4f0a38-ae84-488d-bed5-946c7ca0e84c.filesusr.com/ugd/d86e81_a0a4599c1b8e4016a80557b16c5999a0.pdf?index=true
    • https://2ab99bae-ed11-4f04-8e9c-4fd05c8c8bc2.filesusr.com/ugd/83e584_6f45990ffe20455893b6ab965dfe487d.pdf?index=true
    • https://3c08802b-b2bd-4641-b189-8766e140ea6e.filesusr.com/ugd/6cf804_d05b48ea77414a6b81571916fbc321d0.pdf?index=true
    • https://26d79f3d-4981-45f0-bfa5-4a255a8f4e47.filesusr.com/ugd/0a0016_d9c2635fcbca48eb9484e3e2ee2d17a9.pdf?index=true
    • https://1c8ffbcf-ec2b-4a13-81a9-58bab3b9eb24.filesusr.com/ugd/0dd040_a629340b612948119b791a2a5c07192f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007086.bin
9ebd36a3088e205fd577c98f2ae94be95ea18146845cf6afe0801dd3b257a55b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7086 5328 bytes
font_01_sfnt_off0000828a.bin
f7e4af9865a2d9e5c37d0b88dbb3a0ae512bdc2d97fb0e980eb9d04852ab3a39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x828A 11020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.