Malicious PDF — malware analysis report

Static analysis result for SHA-256 84fbaf43b743d44f…

MALICIOUS

PDF

51.6 KB Created: 2020-09-18 03:18:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a58364e86883452eee3c9ec22d70b185 SHA-1: f0e36e5de09274f83b4c8869de8b6912594013e8 SHA-256: 84fbaf43b743d44fc6c3c61045eccfea42c69fb8f3c65363cab205eaea4d6330
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to disposable hosting and redirect to malicious infrastructure. The primary malicious URL identified is 'https://ttraff.club/wix?keyword=kefka+guide+ffxiv', which is flagged as a malicious redirector. This suggests the document is designed to drive traffic to potentially harmful sites, possibly for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=kefka+guide+ffxiv
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://d251af3a-f9d2-4b1d-a8f8-90f94c0be913.filesusr.com/ugd/a2d007_d4dba2824f254836933c07ce4463bf09.pdf?index=true
    • https://eb557c8e-f1a5-481a-8476-dd8e04d70fb5.filesusr.com/ugd/f59309_cf5e82c5876c4335a9be3b48b3f9d203.pdf?index=true
    • https://dee55ebf-db2b-4c8c-9414-44f2773c1594.filesusr.com/ugd/6e13d9_e3b2eabc5ecd49febdbbf062434d963d.pdf?index=true
    • https://0f1b69fb-698f-4436-bbb1-2dc92409f2fb.filesusr.com/ugd/daca0d_e127f28e371241a993cf16e51be91168.pdf?index=true
    • https://edc2e905-68f0-4a8f-8a8b-e5d893f618cb.filesusr.com/ugd/173616_163125a9a8a944ff9f9863b360e73e30.pdf?index=true
    • https://7a1ca5f3-3148-4bdc-959b-14ac6f8954a0.filesusr.com/ugd/6f5f23_72a0c4ef6e83480891f207df7b64e424.pdf?index=true
    • https://f547b26e-7a56-4914-aaf2-4baa9dad1136.filesusr.com/ugd/2d797c_3acc178340bd4c0e9d1c1a6e78189719.pdf?index=true
    • https://2b510e16-d7c3-4619-9dc9-9b3f0a44c7b2.filesusr.com/ugd/a6e5e9_a2e450aee9934bc08284f094bf5cd0c0.pdf?index=true
    • https://aa3f63e8-60d3-4580-a37b-8932f9df0211.filesusr.com/ugd/55e2c6_a8de5dd603384a6b8c455cb59c0c5e1a.pdf?index=true
    • https://f4f0d405-946b-4271-9eeb-964cef7f2d51.filesusr.com/ugd/e3325f_3b12f79a3d314b74bd6218577eb65ae2.pdf?index=true
    • https://50415c25-dbbd-4f09-b61e-f2464dd55caf.filesusr.com/ugd/eb4c03_88a9282bc4b5448d9996e97575048d5d.pdf?index=true
    • https://a354ca80-4d0e-47e0-ba3d-1242d6752d3a.filesusr.com/ugd/575fb0_da14aed6802743dc9df351ca5a96b243.pdf?index=true
    • https://257dee26-dc91-4325-90b2-2bf66d249a27.filesusr.com/ugd/314c35_02b06dc007e047f4835cbe60ee120ec1.pdf?index=true
    • https://b3b827b7-6f63-4e62-b3c7-d9d89641e699.filesusr.com/ugd/d2759c_d5d958b4647d4b33aa9de66e18bb3a43.pdf?index=true
    • https://d56e4447-a3eb-42dc-b6a4-ef6dda2d412c.filesusr.com/ugd/c722c2_d3ff32b265ef4ef489e68b257ca630b3.pdf?index=true
    • https://4e32b72e-571d-46a5-8870-762c28e0a38c.filesusr.com/ugd/682d1c_da6c52a22b844a45a9f9244b8f743f54.pdf?index=true
    • https://f41e8e14-56a9-4d34-974a-c6cb15f1b27b.filesusr.com/ugd/6924eb_cc0da0ffdf384ebdb4c5e5887fa60c20.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000083d2.bin
08ab2ed15a0f03525d58a482eebf1d659e734881580854cdb04fa578b22255b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83D2 4928 bytes
font_01_sfnt_off000094c1.bin
b88370c181306ad634d5019858e5752d8a89c4929fc929f06c081d57ecc3e2db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94C1 14552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.