Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f775ec7daaa9a95…

MALICIOUS

PDF

46.2 KB Created: 2020-09-02 08:55:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d69257e765ddcb4e7183ccf434affbd7 SHA-1: f5f05154d5e360151107ac35c2340a1dc01191ca SHA-256: 6f775ec7daaa9a955d67c8bd352f603c617b46995c25e76b88bee1d39c9077a8
202 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a lure suggesting it provides answers to a phishing awareness test, while also listing numerous other PDF documents. One of the embedded URLs, https://ttraff.cc/wix?keyword=phishing+awareness+test+answers, is flagged as a malicious redirector. This suggests the document is designed to trick users into clicking malicious links, likely leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=phishing+awareness+test+answers
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://static.usrfiles.com/ugd/97493d_dc33f63ab33a484997d506ad860bce6a.pdf
    • https://static.usrfiles.com/ugd/8b49c6_f63ec0d4157349bb9879b76f0b08a54d.pdf
    • https://static.usrfiles.com/ugd/7f46b5_02a9d2124e5449b9996b96740fd8fb35.pdf
    • https://static.usrfiles.com/ugd/c162b3_2719db3765ad4ca6bb56ee7521d80c5d.pdf
    • https://static.usrfiles.com/ugd/0cd3a8_81019b6da997456ca6a17dacc93d5250.pdf
    • https://cdn.shopify.com/s/files/1/0431/2471/9773/files/tejidodeb.pdf
    • https://cdn.shopify.com/s/files/1/0431/6902/2109/files/pikugo.pdf
    • https://cdn.shopify.com/s/files/1/0432/3282/1412/files/horizontal_and_vertical_analysis_of_financial_statements.pdf
    • https://cdn.shopify.com/s/files/1/0431/8373/4943/files/laxubewijulatajuwusewof.pdf
    • https://cdn.shopify.com/s/files/1/0438/2274/3712/files/chaffoteaux_maury_manual.pdf
    • https://cdn.shopify.com/s/files/1/0435/0964/5478/files/anunnaki_din_nibiru.pdf
    • https://cdn.shopify.com/s/files/1/0435/5627/4339/files/32._9178_96._9607.pdf
    • https://cdn.shopify.com/s/files/1/0452/2527/9648/files/bourse_d_tude_vaud.pdf
    • https://cdn.shopify.com/s/files/1/0430/7111/1330/files/kifumenurafijoj.pdf
    • https://cdn.shopify.com/s/files/1/0429/8833/9361/files/musica_mexicana_para_guitarra.pdf
    • https://cdn.shopify.com/s/files/1/0432/4258/6269/files/puxipegusepebig.pdf
    • https://cdn.shopify.com/s/files/1/0430/8667/6117/files/98585982471.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006924.bin
3bc990cb45ba5b957ba1d04aa73df20eb122018e40346f4b0e86fa664924e05f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6924 4684 bytes
font_01_sfnt_off000078fc.bin
70901bb08f80389c59cf66c09a62e8288c623390596b7ea8ae05288aa5891936		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78FC 10708 bytes
font_02_sfnt_off00009d47.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D47 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.