Malicious PDF — malware analysis report

Static analysis result for SHA-256 87d86a449a3e3612…

MALICIOUS

PDF

40.5 KB Created: 2020-08-30 00:10:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: e778427a51fcbbc3bdaddf6cc5e36954 SHA-1: 58402cb04ece7cbfb04af171725f834b7fa56ad9 SHA-256: 87d86a449a3e3612a87ac1bcd83bf656f3466bfba1cbd890d97606d0a267db5f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic match for malicious redirector links, pointing to `https://ttraff.cc/wix?keyword=9.s%25C4%25B1n%25C4%25B1f+kimya+soru+bankas%25C4%25B1`. The document body, though heavily obfuscated, also contains this URL, suggesting an attempt to trick users into clicking it. The presence of numerous other PDF links, many pointing to benign content, indicates a potential link farm or SEO poisoning tactic to mask the malicious redirector. No scripts were extracted, but the overall structure and the malicious URL strongly suggest a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=9.s%25C4%25B1n%25C4%25B1f+kimya+soru+bankas%25C4%25B1 In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://static.usrfiles.com/ugd/b8c837_15efeb427726487784f231101b4e8c43.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/3826db_2dd59fb977744a3385632f8f7ddf94cf.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/34ec99_ce53037a928e454ead9563aa60575441.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/b8c837_d60a498265e24d389fd958850a23d40f.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/49be48_3ffe97a791b9483cb5d3df08fb3eb4b4.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/7626/3841/files/18823813901.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/b8c837_38281d21d2b74252840743180cf1cba7.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/271e65_ae8ad2a3bcad4909b8e69f5246da583e.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/b8c837_dd7e36a9b1d546a4b3658a39909a64ec.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/b8c837_4c38232bcb744ef8919d9fbf7e0ddbee.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/b8c837_311dbce3144d43c98b3106dcf7d0116c.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/81274949660.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0438/6340/8795/files/21722083585.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/1903/5033/files/kadar_caruman_sip.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/1767/4656/files/sajowozilusugo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a13.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5A13 5312 bytes
SHA-256: a7e3063a0801edf42167d761ea5f58b546b35e3051e7315e125f939cb9a1fcbd
font_01_sfnt_off00006c0f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6C0F 12556 bytes
SHA-256: 6cf2a0a83b04becb326152bd6316d3c47f922403e9dbb39c144544897d6d3c7c

Open this report in the interactive analyzer, or submit your own file for analysis.