Malicious PDF — malware analysis report

Static analysis result for SHA-256 81c4018e39b47c77…

MALICIOUS

PDF

38.1 KB Created: 2020-10-25 18:39:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 093cc4366634be7a01867e838ee21f6d SHA-1: 93d88ea3f9fb3f52d274cb90e0127ab60e771cc2 SHA-256: 81c4018e39b47c7728ef81d963b357e70cb61592f75903ca90fc4f6874a6182b
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to a redirector service. The primary redirector URL is `https://ttraff.link/123?keyword=common+splices+and+joints+pdf`, which is flagged as malicious. This suggests a phishing or scam attempt where users are tricked into clicking links that lead to malicious sites, likely for malware distribution or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/123?keyword=common+splices+and+joints+pdf In PDF document text
    • https://gurigibafex.weebly.com/uploads/1/3/0/7/130739571/rumalax-gixasufusez-labunajigom-popado.pdfIn PDF document text
    • https://gofobodobade.weebly.com/uploads/1/3/4/4/134444694/letufemelazopawupoko.pdfIn PDF document text
    • https://zinikedefi.weebly.com/uploads/1/3/0/7/130740178/6867760.pdfIn PDF document text
    • https://norumevi.weebly.com/uploads/1/3/0/9/130969469/rarokujagurewenuk.pdfIn PDF document text
    • https://sopopubepomexak.weebly.com/uploads/1/3/4/2/134265445/2cfbb522.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/8392/6171/files/app_to_fix_red_eye_android.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0498/2118/8251/files/no_starch_diet_plan.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/4756/5512/files/32279163625.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f517b8da-4a7c-404c-9248-04634e75e04d/coc_base_building_guide.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/7306/4097/files/canon_lide_110_scanner_software.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0495/9682/5764/files/48581189276.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/9366/3137/files/83685720371.pdfIn PDF document text
    • https://s3.amazonaws.com/kewakuko/alma_ata_1978.pdfIn PDF document text
    • https://s3.amazonaws.com/gupuso/xofarojovalogerisawefa.pdfIn PDF document text
    • https://s3.amazonaws.com/pazifetanegapu/74931006968.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/3486/1991/files/draw_right_side_brain.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0503/8650/1806/files/short_summary_of_animal_farm.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0266/8894/6346/files/astm_a193_standard.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0499/5937/0904/files/behavior_chart_app_for_android.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005884.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5884 5188 bytes
SHA-256: e198aa099cf6922e6407e5beb84dfc2bf888e5d91aa9c4cf8add3bddcc4d9ce2
font_01_sfnt_off00006a10.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6A10 9784 bytes
SHA-256: b41ac361dda2a409fe78af0d547b71aec192d5e6152f38eba90f9f99f9d79fd1