Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3b71aff21a0bc66…

MALICIOUS

PDF

98.8 KB Created: 2020-10-25 09:40:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3dd2f810e3a61e74c70c97de1b7cac46 SHA-1: 46ba244768f312640fa65322bd05918fff5b5d6e SHA-256: b3b71aff21a0bc66ebed1125d7325f00922c1d67c9f7e37905e057e766585048
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for linking to known malicious redirector infrastructure, specifically `https://ttraff.club/123?keyword=ieee+802.11+standards+pdf+2020`. Additionally, it exhibits characteristics of a PDF link farm, with numerous links pointing to external PDFs, many hosted on platforms like Weebly. The ML classifier also strongly indicated maliciousness. These factors suggest the document's primary purpose is to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/123?keyword=ieee+802.11+standards+pdf+2020
    • https://jimagofer.weebly.com/uploads/1/3/0/8/130813953/venolusivuvig.pdf
    • https://zevigetadafuwun.weebly.com/uploads/1/3/0/9/130969942/lelorozexo.pdf
    • https://panidulupeju.weebly.com/uploads/1/3/0/9/130969186/riwamiseki.pdf
    • https://cdn-cms.f-static.net/uploads/4366625/normal_5f8e23ac35501.pdf
    • https://cdn-cms.f-static.net/uploads/4377112/normal_5f917f7b70de7.pdf
    • https://cdn-cms.f-static.net/uploads/4370777/normal_5f8fd336b163a.pdf
    • https://cdn-cms.f-static.net/uploads/4367944/normal_5f8ab4fe8a9ba.pdf
    • https://cdn-cms.f-static.net/uploads/4388405/normal_5f918ef452a5c.pdf
    • https://cdn-cms.f-static.net/uploads/4372955/normal_5f8a64ec4075b.pdf
    • https://cdn-cms.f-static.net/uploads/4369905/normal_5f91a0096dc95.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0496/6468/8292/files/dinuxatezakiwesano.pdf
    • https://cdn.shopify.com/s/files/1/0497/9110/7233/files/44762627128.pdf
    • https://cdn.shopify.com/s/files/1/0433/2408/0282/files/67014568498.pdf
    • https://cdn.shopify.com/s/files/1/0433/2971/6374/files/zivonude.pdf
    • https://uploads.strikinglycdn.com/files/37be8176-fd47-408a-840a-3f49328ff113/multiplication_chart_30x30_printable.pdf
    • https://uploads.strikinglycdn.com/files/012ab833-a26c-43fe-9860-d87a23593c06/unblocked_games_66_douchebag_workout.pdf
    • https://uploads.strikinglycdn.com/files/8baae68c-2fca-4548-8cfe-47f72fa89aad/kofodidakurakexag.pdf
    • https://uploads.strikinglycdn.com/files/1a85339a-77f0-4712-a2d0-12aa2c1ae9a4/78774202174.pdf
    • https://uploads.strikinglycdn.com/files/58fcfa1b-5890-4033-a62e-a206ad5662aa/ricky_nelson_discografa_tpb_pato.pdf
    • https://uploads.strikinglycdn.com/files/842d6e69-a55d-4af0-a7c8-8b821eac8ccf/26611544886.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013493.bin
f8bbc3f626750d9ae22db1d78f919b4852121d396115fbb8003c71fe8bbcc3d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13493 5492 bytes
font_01_sfnt_off00014754.bin
d0c9e33916e9e64e42e31bcf0d345f6c2fcd41735b1a34df0119bd0eb1094281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14754 3720 bytes
font_02_sfnt_off000152b8.bin
2484643cde979366418506a20d07fe550db99c3e996701bcdb9575bb79564d27		 pdf-font-stream PDF embedded font (sfnt) at offset 0x152B8 12468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.