Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba630715ce9417aa…

MALICIOUS

PDF

36.6 KB Created: 2020-11-03 13:55:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 3b3c92087a77e71b51836a050431e9e8 SHA-1: e1bc92cc0f29d95577a366834c1b342176658d5a SHA-256: ba630715ce9417aa832ccc6e809df732125fe31f20fecdd81faa29d206280320
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple heuristics indicating it's a malicious redirector, specifically designed to lure users via SEO-like links. The embedded URL 'https://ttraff.com/123?keyword=chittenden+group+naugatuck+ct' is flagged as a known malicious redirector. The document body, though heavily obfuscated, contains this URL and other PDF links, suggesting an attempt to drive traffic to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/123?keyword=chittenden+group+naugatuck+ct In PDF document text
    • https://cdn-cms.f-static.net/uploads/4373997/normal_5f8e5282cfd9d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365998/normal_5f8735458d760.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4390071/normal_5f92cd42f268e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416305/normal_5f9ca75ee8e59.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369330/normal_5f9b6c648c924.pdfIn PDF document text
    • https://rakamukomegu.weebly.com/uploads/1/3/2/6/132681656/rinedufiwaditarip.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4426257/normal_5f9bc7ae8fe26.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4382780/normal_5f96e79f8c00a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380859/normal_5fa0b00347deb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371806/normal_5f95873b4c9df.pdfIn PDF document text
    • https://jukafubu.weebly.com/uploads/1/3/0/8/130874261/8778445.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366653/normal_5f8bdb3345cee.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374859/normal_5f8b317a18a45.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413005/normal_5f99a95e6688c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413125/normal_5f9c142aa0395.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/a3389102-5605-4ac0-8206-30fd33593a74/daredevil_season_3_episode_11.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/acbab757-79ef-4c8c-b5de-098b2ad86cc2/74218220482.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000513f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x513F 5092 bytes
SHA-256: 52601cfac5ab85b096e0a535a7f468b047d54d7b16296dd3c086a007a10ed5af
font_01_sfnt_off00006289.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6289 10504 bytes
SHA-256: 146ecafe257e08670b994f4beaa57cc1ee9aeb96e4a875c6c265810b84314904