Malicious PDF — malware analysis report

Static analysis result for SHA-256 79677029c77554e9…

MALICIOUS

PDF

77.0 KB Created: 2020-09-17 02:17:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 712d578642ecb57bb231b767c4d5a204 SHA-1: 3699e9d5d6bd5a13d6034dc1d369aabf6669bd26 SHA-256: 79677029c77554e98a525fea80932ba6ed457a286779dd2b361fb7b1a00c49b2
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to external websites, many of which are hosted on disposable domains and point to link farms. One prominent URL, 'https://ttraff.me/wix?keyword=sims+4+super+sim+challenge+dansk', is identified as a malicious redirector. The document's structure and the nature of the links suggest a phishing or scam attempt designed to drive traffic to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=sims+4+super+sim+challenge+dansk
    • http://jofed.internetartexhibition.net/uploads/1/3/1/0/131070171/9357d9.pdf
    • http://nuvirale.eileenenwrighthodgetts.com/uploads/1/3/1/4/131438500/154732a1886.pdf
    • http://luvejo.eastcentralcasa.com/uploads/1/3/1/4/131453247/93cdd054.pdf
    • http://nupagu.reviewgraphs.com/uploads/1/3/1/6/131636825/jizamitolozit.pdf
    • http://dotux.langeamchs.com/uploads/1/3/0/7/130739540/3476764.pdf
    • http://rewifosix.manzanitasplayschools.org/uploads/1/3/0/8/130874063/6024054.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://79e81a30-06fb-4a34-a55b-f4fbc214319f.filesusr.com/ugd/031dda_81137be4875b4ae89a0be9aebe2826f5.pdf?index=true
    • https://06cf7d16-8e24-4b0b-9e7e-defa6f2c390f.filesusr.com/ugd/359e64_305e21cf6e0a466db3304d2223f99ccf.pdf?index=true
    • https://fa567ea5-449e-40ce-804d-5cb250ae16d4.filesusr.com/ugd/eda9ba_7321c1eb82044db78dd61840bbbf157c.pdf?index=true
    • https://be6f3265-b29a-4f6e-9eef-4e54451db396.filesusr.com/ugd/8c5bc8_43c91ee5508c42f78791ded18fc66df9.pdf?index=true
    • https://2fefe763-7cc8-4e64-9755-7a55ec9da97d.filesusr.com/ugd/bcb9fd_4c95e2918f0544ab8f91999b922a8c5e.pdf?index=true
    • https://8daffdb7-b95f-4860-865d-fe7ec77ec3c9.filesusr.com/ugd/9058e5_22c4a17998e74fe88f89ca2d681b4fe0.pdf?index=true
    • https://f0ca9efe-1821-45d5-80a8-40dfe273b849.filesusr.com/ugd/2eedf1_c198375d873c40eb812bc6f13c3de2a5.pdf?index=true
    • https://9cc41158-1e0d-4c4b-a351-78576adf107f.filesusr.com/ugd/9ef0c3_4690c330276b49e9a35b0382274e6faa.pdf?index=true
    • https://28862ee3-0ecd-47f4-9228-c2a302658354.filesusr.com/ugd/ef0078_f65bd64938c8499e82269792f5d9b662.pdf?index=true
    • https://22b90090-d432-4119-a94f-2a2ac9fd30a8.filesusr.com/ugd/565485_b7058463b5b04c45b6b58d79b1f4ea5e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d211.bin
ae16e4c6bba79020e0c313f7666c5e003a48aeeaa022ae3debdd057a90459576		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD211 5744 bytes
font_01_sfnt_off0000e577.bin
876cfb29b33213c653f48c0ee32fb092b36a1fc5ffd2c7f197f4ff7f4b1db6d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE577 11684 bytes
font_02_sfnt_off00010d48.bin
e7af3a6f15a587022d9f9307d132185c4cc82c0bdcc84be95fc63945f21e1700		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D48 17256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.