Malicious PDF — malware analysis report

Static analysis result for SHA-256 8784beacf0c48907…

MALICIOUS

PDF

46.0 KB Created: 2020-09-18 03:21:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e02bdca5f09abae6e9f971846cb8c95f SHA-1: 7eec8004893024648689c2ffaa67a90337671d26 SHA-256: 8784beacf0c4890728b64f24e8c355ddf550122117f9b346b7a1a9f0f0615bd9
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded links, many of which point to other PDF documents hosted on disposable domains. One of these links, https://ttraff.link/wix?keyword=hooked+on+phonics+learn+to+read+pdf, is identified as a malicious redirector, indicating a potential phishing or malware distribution attempt. The document body itself is heavily obfuscated and contains metadata suggesting it was generated by wkhtmltopdf.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=hooked+on+phonics+learn+to+read+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://66ce967a-a6e3-4ed5-a493-cdd22d3ea990.filesusr.com/ugd/b14caa_e270dbaada6b4e3d8caf8a8498225df7.pdf?index=true
    • https://406a21bc-1b3f-4cb4-a887-d5d8e56e9dc7.filesusr.com/ugd/238140_710864a772c24c63893716a909275579.pdf?index=true
    • https://6bb5da3b-887c-4ad3-a3e0-9790474ebfbe.filesusr.com/ugd/29c71c_fc9224810d4d42c3b8bda55e9d65cc45.pdf?index=true
    • https://c38e87db-810a-4fc1-9087-eb0aba68ef3c.filesusr.com/ugd/0b46e6_3f7b5bcff4b841cba58862db54b3b6de.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0435/9480/9512/files/vodasesasura.pdf
    • https://cdn.shopify.com/s/files/1/0432/7125/8278/files/comptia_network_n10-_006_study_guide.pdf
    • https://cdn.shopify.com/s/files/1/0437/0962/8570/files/dudowezozibokow.pdf
    • https://cdn.shopify.com/s/files/1/0435/9441/6290/files/84280335892.pdf
    • https://cdn.shopify.com/s/files/1/0437/6995/4456/files/retiwaxaronaboxi.pdf
    • https://0b7153f3-2557-4b3a-a154-2a19b488332f.filesusr.com/ugd/89441e_055215d0630044c9afe29686e7944d36.pdf?index=true
    • https://c54ab9a6-fa4e-4498-b368-b24146bf408c.filesusr.com/ugd/24deb6_f3ef6431771c450b86e5106b72604b81.pdf?index=true
    • https://c333954d-c8fe-497f-8827-d30d5b430f8d.filesusr.com/ugd/29c71c_bd9d0f392c354b84984ab03d78cad6aa.pdf?index=true
    • https://502da21a-9ac5-42f0-a97b-cba26c4f04dd.filesusr.com/ugd/c88839_498433f9acf843e09441539d8395148b.pdf?index=true
    • https://1ebffc61-4feb-43f0-80e8-0ddccb19a6a9.filesusr.com/ugd/296484_5453868481e24baa9c4e7aa911a8eaba.pdf?index=true
    • https://27adb9f9-a639-42ef-9845-6bb7d844d41c.filesusr.com/ugd/ae15ca_2cf08335c3bd4b928c8cb702d1feb588.pdf?index=true
    • https://04f98df3-7026-44d5-882e-96bcad075468.filesusr.com/ugd/529385_af15051feabb4209a0fde08a45a0b232.pdf?index=true
    • https://4aba84f8-51a3-423a-bdfa-3c670f893829.filesusr.com/ugd/cd1d52_fd3b37046c03403c81526b652c520b7f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d11.bin
f48d61ea0f5767ac69afc9181cae4a4f5024b19a7cc22cf0660da0d43bd481af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D11 5268 bytes
font_01_sfnt_off00007eec.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EEC 1800 bytes
font_02_sfnt_off00008779.bin
3807f75d357b41cc46e652804aedb2ebc6a66f092bec2d998d330b62d5b33542		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8779 10200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.