Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a0960fd30d38971…

MALICIOUS

PDF

41.9 KB Created: 2020-08-31 09:06:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fd7311517ae6d21dcfb6a55cd3e349c1 SHA-1: ed9816b81af02839ea04b8c856ce9842944ae0d0 SHA-256: 7a0960fd30d389718f4d53563ad6b402aab992ddd278fd983c08b445e60bd439
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to a redirector infrastructure. The primary malicious URL identified is https://ttraff.cc/wix?keyword=supreme+commander+forged+alliance+controls, which is likely used to direct users to a malicious site. The presence of numerous links suggests a link farm or SEO poisoning tactic to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=supreme+commander+forged+alliance+controls
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0430/8949/4177/files/78868510205.pdf
    • https://cdn.shopify.com/s/files/1/0433/4403/5993/files/skype_apk_file.pdf
    • https://cdn.shopify.com/s/files/1/0434/0465/6790/files/majenoredomogovanewu.pdf
    • https://static.usrfiles.com/ugd/1cfe37_94cad4cf91b54f6f8f5d106dc909137d.pdf
    • https://static.usrfiles.com/ugd/b8c837_dd43c14f88954335ae0f6564ca109218.pdf
    • https://static.usrfiles.com/ugd/9ea9b6_8972d3ff94cc494c9fe224c8e0589a2e.pdf
    • https://static.usrfiles.com/ugd/6c98bc_2e94e066127e4a528013675ba3cd2a47.pdf
    • https://static.usrfiles.com/ugd/eb4c03_7197d5ae55ad4e9ea6215718c714f52f.pdf
    • https://static.usrfiles.com/ugd/a01749_3e6ea16fef3540d6bec1e3da6a5c8af4.pdf
    • https://static.usrfiles.com/ugd/23e9be_bac4d4fcd0de4f3e9c17847cca17a6d3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006152.bin
a91f9369d5aa52b55a6194a3dc95a6010ded47d143d6564ee5f583bb44b55bf1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6152 5580 bytes
font_01_sfnt_off00007434.bin
2fb40d9b57a702e58571bd316fb920972a6782730b3577a4a99b0e0dfdc46799		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7434 12108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.