Malicious PDF — malware analysis report

Static analysis result for SHA-256 920ba61cd312b017…

MALICIOUS

PDF

53.3 KB Created: 2020-10-17 23:45:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 22d5fcfcc47973c0bc358b3101088a04 SHA-1: dd3b2c5dcd91ab20fe2cc0f6af8840d4fc0e4c39 SHA-256: 920ba61cd312b017276533fb0f7d4297f2ddf4a099ab24d562757603b4e7c962
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/123?keyword=small+business+expenses+list+pdf'. This URL is embedded within the document's body, suggesting a social engineering attempt to trick the user into visiting a malicious site. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/123?keyword=small+business+expenses+list+pdf
    • https://zoxuzuxebexot.weebly.com/uploads/1/3/0/9/130969059/tidivobinimigip-banez-batipafon.pdf
    • https://nitiruminaxodax.weebly.com/uploads/1/3/0/7/130738633/cf768e681479a.pdf
    • https://xojerajap.weebly.com/uploads/1/3/1/3/131384359/3373854.pdf
    • https://povutepumik.weebly.com/uploads/1/3/2/7/132741486/tajokakapuzavil_popolutev.pdf
    • https://buveziketi.weebly.com/uploads/1/3/1/3/131398526/1388095.pdf
    • https://cdn-cms.f-static.net/uploads/4369316/normal_5f8a31369f86a.pdf
    • https://cdn-cms.f-static.net/uploads/4366949/normal_5f874f14c969b.pdf
    • https://cdn.shopify.com/s/files/1/0498/0693/4178/files/auto_enchantment_table_setup.pdf
    • https://cdn.shopify.com/s/files/1/0500/0308/3424/files/lunedosemejowelagogagaxat.pdf
    • https://cdn.shopify.com/s/files/1/0484/8012/5082/files/bawajozukenirut.pdf
    • https://uploads.strikinglycdn.com/files/f7d325e4-2803-42ca-8da0-9842f026f2fd/97912153215.pdf
    • https://uploads.strikinglycdn.com/files/5c1a67cc-3d35-431a-abf2-ef67dd543189/zuverevavokag.pdf
    • https://uploads.strikinglycdn.com/files/0bda83b2-ca02-445e-b9fd-c2a00f028042/xasifogaxegilumojo.pdf
    • https://uploads.strikinglycdn.com/files/ce30b61a-56d4-46ec-8f76-5c706dd5be69/kawuxolekodabepib.pdf
    • https://cdn.shopify.com/s/files/1/0494/0801/6551/files/rebavitod.pdf
    • https://cdn.shopify.com/s/files/1/0492/3827/8300/files/devil_may_cry_trophy_guide.pdf
    • https://uploads.strikinglycdn.com/files/a8d011c2-b3ae-455c-a4a9-d036e5dc473a/79188214686.pdf
    • https://uploads.strikinglycdn.com/files/501fba8a-2c9d-4dcd-84a6-5a049aa76c67/viregojelurizuvasiwidoje.pdf
    • https://uploads.strikinglycdn.com/files/2d824cdc-ca00-4995-9dcd-b377e460ac6f/xamunefifikopijasabimunev.pdf
    • https://uploads.strikinglycdn.com/files/f34d649c-3931-4c9a-bfdb-251ab0a17b96/gumozos.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008443.bin
c14f38d5e4e108c0a57b105c9d3162ad1f8b7b064e299c03c9ffc31cd20f140f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8443 5172 bytes
font_01_sfnt_off000095bb.bin
1b0b90450e9b7fa33063caf48026b72e44f1714cee228afbffeb9b2c8c0a6f95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95BB 10456 bytes
font_02_sfnt_off0000b961.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB961 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.