Malicious PDF — malware analysis report

Static analysis result for SHA-256 a73e1e073fe41411…

MALICIOUS

PDF

35.3 KB Created: 2020-10-29 18:10:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 57871bf84aa8737f0893f2a9272da472 SHA-1: da738a91149c986d0e044af828a8724295321f8a SHA-256: a73e1e073fe4141171c27440659d52c619b042a2a1bbcac72939d0171633c530
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains numerous links to external resources, including a known malicious redirector at 'https://ttraff.com/123?keyword=big+book+awakening'. The document also exhibits characteristics of a remote support tool lure, suggesting an attempt to trick the user into installing or running potentially malicious software. The ML classifier strongly indicated maliciousness, and the presence of embedded links points towards a phishing or social engineering attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/123?keyword=big+book+awakening In PDF document text
    • https://kubupukadumu.weebly.com/uploads/1/3/1/3/131382740/ratekol.pdfIn PDF document text
    • https://xepebujusu.weebly.com/uploads/1/3/4/3/134319702/4c045b8d466.pdfIn PDF document text
    • https://sifizebutu.weebly.com/uploads/1/3/0/8/130814914/zenuke.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/nuxulikiwab/adverb_of_frequency_lesson.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/49ac8c9e-03e4-43be-82ac-3cadaf053c83/how_many_angles_in_a_pentagon.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0504/7219/0132/files/93654971609.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/62deae57-e5ff-4fc6-88de-2327a2432798/cosco_3_step_ladder.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bcfb122f-7786-42ea-a760-51676512eae8/74179937023.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0500/8057/9755/files/37355564677.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1f9c0c0e-b13b-4760-9b10-7367baf4e0a6/incode_outcode_calculator_download.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a84.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4A84 4892 bytes
SHA-256: 5b66a2684b04ba7cac45e0b93cacf16eef0f41b00fc17906bbe252a561a21569
font_01_sfnt_off00005b5f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5B5F 11060 bytes
SHA-256: 9d3ed802b033687a9e1cd4055556e33b01c34f2473ce8f1679684c650283d9f4