Malicious PDF — malware analysis report

Static analysis result for SHA-256 71da2c5db05f7d52…

MALICIOUS

PDF

35.0 KB Created: 2020-09-05 23:21:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00e25d5a81886d80bf266859a42db21f SHA-1: 4c4b3bbf5ef5cb4482c0cbe09ca9c9ae8246594b SHA-256: 71da2c5db05f7d520631fb1b76e510bb77a1532709cfd4410f6ca678aa3a284b
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a lure for 'daily puzzle answers' and embeds numerous links, one of which, https://ttraff.cc/wix?keyword=daily+puzzle+answers, is flagged as a malicious redirector. The presence of many external PDF links suggests a link farm or a mechanism to distribute further malicious content. No scripts were extracted, but the overall structure and embedded links point to a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=daily+puzzle+answers
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0435/2868/3672/files/41431534585.pdf
    • https://cdn.shopify.com/s/files/1/0440/6181/9045/files/74767179074.pdf
    • https://cdn.shopify.com/s/files/1/0430/9378/6791/files/sokejojoviraxajewezil.pdf
    • https://static.usrfiles.com/ugd/7d1dc9_042e0d9f02a84d41a6beddfb873db85a.pdf
    • https://static.usrfiles.com/ugd/71fd01_be2f23f624bf4579a1782f8ca773772a.pdf
    • https://static.usrfiles.com/ugd/e2c6c1_8cc54458a1284c6b96e1c945524666c1.pdf
    • https://static.usrfiles.com/ugd/c1108c_77b0643394f242ac8775c18257ccbca3.pdf
    • https://cdn.shopify.com/s/files/1/0432/2754/5755/files/4435599795.pdf
    • https://cdn.shopify.com/s/files/1/0437/2814/2501/files/iphone_apps_on_android_phone.pdf
    • https://static.usrfiles.com/ugd/eddc50_d47bc46897fc4b2a8d3e0516c722407a.pdf
    • https://static.usrfiles.com/ugd/ef253e_ddba441748714aae9c7462f314f5e9a6.pdf
    • https://static.usrfiles.com/ugd/16a96a_5d8857ec6e9b4769a4f8ddd2e2f291ec.pdf
    • https://static.usrfiles.com/ugd/48f461_3fb3b50e14f246898e3e6bcf7f42fdfe.pdf
    • https://static.usrfiles.com/ugd/2ca09c_16cd429541294a3d9fbb811727d6335f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000041d0.bin
527f87e392827991cca9ca507a9f7028b554bca3ef323393567ce4cbc97ab77e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41D0 4748 bytes
font_01_sfnt_off0000520c.bin
df53c36de3c616faae41585f7c363036f6a95089fae45f13e589fdf00d6f7f22		 pdf-font-stream PDF embedded font (sfnt) at offset 0x520C 9188 bytes
font_02_sfnt_off00007155.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7155 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.