Malicious PDF — malware analysis report

Static analysis result for SHA-256 737d78726b803ef7…

MALICIOUS

PDF

34.9 KB Created: 2020-08-30 19:45:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9de4398d349c8760a7805b57030c5487 SHA-1: f6ef25f19296885b7c8405e9c5f3349a08817e23 SHA-256: 737d78726b803ef7cfbc64a4a5a80d210d432e5359f8af02bab4f74f713db316
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a link farm with numerous embedded links, many of which point to benign Shopify URLs. However, one critical link redirects to `https://ttraff.cc/wix?keyword=the+legend+of+zelda+the+minish+cap+rom`, which is known malicious redirector infrastructure. The document's content appears to be obfuscated text related to a game ROM, likely a lure to encourage clicks on the malicious link. No scripts were extracted, but the presence of a malicious redirector indicates a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=the+legend+of+zelda+the+minish+cap+rom
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0429/3053/6614/files/49025188897.pdf
    • https://cdn.shopify.com/s/files/1/0429/8525/9159/files/diwufikowemuwaguxesus.pdf
    • https://cdn.shopify.com/s/files/1/0432/3108/4708/files/83585809039.pdf
    • https://cdn.shopify.com/s/files/1/0438/8729/6680/files/bangalore_pin_code_list_area_wise.pdf
    • https://cdn.shopify.com/s/files/1/0427/4287/4278/files/patiwotimunobevad.pdf
    • https://cdn.shopify.com/s/files/1/0432/6899/7284/files/27270526533.pdf
    • https://cdn.shopify.com/s/files/1/0435/4542/8122/files/54596436368.pdf
    • https://cdn.shopify.com/s/files/1/0433/6589/2264/files/45562209432.pdf
    • https://static.usrfiles.com/ugd/b8c837_1ce5197c9e444e41af22a31f73cc618d.pdf
    • https://static.usrfiles.com/ugd/cf79db_07ed4a1119bd458a9a2f6355c081dc0b.pdf
    • https://static.usrfiles.com/ugd/b8c837_2b092887eafa442484de6f598e3e6a7b.pdf
    • https://static.usrfiles.com/ugd/067ecb_db8293ae4e9f4b2d8109ca29035f52fd.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc272b27e15f4de58af9a9a24f09f596.pdf
    • https://static.usrfiles.com/ugd/238140_00c04b3f3230439292089ffcb26ca013.pdf
    • https://static.usrfiles.com/ugd/4dd980_51ee2609a5f3468a90bc2f2332473cc2.pdf
    • https://static.usrfiles.com/ugd/b8c837_feaca2158ed345b5a23ce8cb5d1b11aa.pdf
    • https://static.usrfiles.com/ugd/b8c837_2f3eccaf156e4af7859294b9918a49ba.pdf
    • https://static.usrfiles.com/ugd/3826db_28da3f7babec4f1f9e046f4397fd728f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a7f.bin
623f9aaa7120510a8fbb6ba355bc5d25595b55aecb55ce64163d1b71f2aa982b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A7F 5568 bytes
font_01_sfnt_off00005d4a.bin
c0a871c4313311d51fada597c2371eef70868c2d5e18fd3c5bb0ecf92896287d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D4A 9804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.