Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1ac070083f43d7c…

MALICIOUS

PDF

51.4 KB Created: 2020-08-30 08:38:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 21a141f317265bbec10874882d513e34 SHA-1: 89c9d96cce9ae3fb6b00b29f31f3f30f20361d35 SHA-256: a1ac070083f43d7c522c49e4e92d20ca15cb5628d6b7a6c303684772935c9291
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious due to a critical heuristic identifying it as a redirector link to known malicious infrastructure. It also contains a large number of external PDF links, suggesting a link farm. The primary malicious URL identified is https://ttraff.com/wix?keyword=kevin+hakk%25C4%25B1nda+konu%25C5%259Fmal%25C4%25B1y%25C4%25B1z+altyaz%25C4%25B1l%25C4%25B1. While the document body contains garbled text and some URLs, the heuristic firings are the strongest indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=kevin+hakk%25C4%25B1nda+konu%25C5%259Fmal%25C4%25B1y%25C4%25B1z+altyaz%25C4%25B1l%25C4%25B1
    • https://cdn.shopify.com/s/files/1/0431/2937/2836/files/63005561573.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/58829080427.pdf
    • https://cdn.shopify.com/s/files/1/0462/5983/0938/files/vunapadu.pdf
    • https://cdn.shopify.com/s/files/1/0438/3395/0358/files/gifoxe.pdf
    • https://static.usrfiles.com/ugd/73cb9e_3c98ffafbb2240dd8a414504610e1198.pdf
    • https://static.usrfiles.com/ugd/4b7290_41280493a57b42c2b994baaf51b5956c.pdf
    • https://static.usrfiles.com/ugd/10b11f_d04077de9de044628d6c0acdc0061cb7.pdf
    • https://static.usrfiles.com/ugd/b8c837_20bbe3f36a484a43a8c1ce7aeb723816.pdf
    • https://static.usrfiles.com/ugd/b8c837_98c42a7bebad40b3bb10e7c6e3deba65.pdf
    • https://static.usrfiles.com/ugd/b8c837_2a168aa21abb4672b0bcdeffe4bc379d.pdf
    • https://static.usrfiles.com/ugd/b8c837_472b0cba763d46308803ba4754990508.pdf
    • https://static.usrfiles.com/ugd/b8c837_be5457d0f07345329b450ef9715aedde.pdf
    • https://static.usrfiles.com/ugd/3aca14_14da4997a95841b1bbc61c5127763096.pdf
    • https://static.usrfiles.com/ugd/70a38d_fc24119418524ad2bddf4e44134bbf36.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006499.bin
5ae7d5d732f8de4ad4d48c74445f8ca8a156e6ac4bf81523bbff43398f2cf893		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6499 5200 bytes
font_01_sfnt_off0000762e.bin
b41394736127222c7817e73241bbe6d02d0a31fe851badca8ceaaa84965d29ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x762E 10784 bytes
font_02_sfnt_off00009975.bin
bf8c0df08d15f23cbe973db243b6e697da1e6bd06246bd760ca421b8c99065e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9975 16404 bytes
font_03_sfnt_off0000afa0.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAFA0 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.