Malicious PDF — malware analysis report

Static analysis result for SHA-256 785093abc2f588ae…

MALICIOUS

PDF

40.2 KB Created: 2020-08-29 17:45:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2030fc4e5de88bacf953feddf3b5a38a SHA-1: 71cd00b91b533274b8575dedeb2fc8ebd678ff68 SHA-256: 785093abc2f588ae0492ad55761b8881ab3e5157ce8c8cc28dbd30beb61cf0b1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to a link farm designed to redirect users. One of the primary links, 'https://ttraff.ru/wix?keyword=triangulos+de+cuello', is flagged as a malicious redirector. This suggests the document's purpose is to direct users to malicious infrastructure, likely for further exploitation or phishing. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=triangulos+de+cuello
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/b8c837_f0cd584adfd84226944bf179f5467e41.pdf
    • https://static.usrfiles.com/ugd/b8c837_7a9e5ad0eb9847b6a7410319515f1f37.pdf
    • https://static.usrfiles.com/ugd/b8c837_e8543f49da794d3c97b79c8ee397ac57.pdf
    • https://static.usrfiles.com/ugd/dc98cc_c18482cf971a41aeaf747e269c06d9bf.pdf
    • https://static.usrfiles.com/ugd/b8c837_92a3d4561d52403aa067b1a14aca6fb0.pdf
    • https://static.usrfiles.com/ugd/b8c837_2fd0a6254a624316afc839a0cfb07ffb.pdf
    • https://static.usrfiles.com/ugd/b8c837_8e274c87c17b4c05b8a8f33dbef06cbe.pdf
    • https://static.usrfiles.com/ugd/b8c837_2e0839b1a2534d9abba6fd66bce1cfb6.pdf
    • https://static.usrfiles.com/ugd/b8c837_67f954714fd845bf9e5cb4d42bc17c94.pdf
    • https://static.usrfiles.com/ugd/b8c837_86d72fb87252438da66d9ef3052ab444.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ebd.bin
6da9a8fbcc8bed67fb2753a15b8faacf7399724b5850d29a6d9c2ab0a23dd2c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EBD 5056 bytes
font_01_sfnt_off00006fed.bin
764ed7265a6597057429a1b39ae87758ea3ab777238b72e4e54d0240562725e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FED 10972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.