Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0cfe4d57895ac2a…

MALICIOUS

PDF

46.7 KB Created: 2020-10-20 02:45:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: 371c528f88e49af467363679b10004de SHA-1: bad1e72c0685fe86b6cc13653f78489fa8cc5d33 SHA-256: c0cfe4d57895ac2a5ec500cdc3f3cebf7c8bd94a853317210ec97e46bea44783
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of embedded links, many of which point to redirectors and disposable hosting, indicating a link farm designed to lure users to malicious sites. The primary malicious URL identified is ttraff.ru, which is flagged as a known malicious redirector. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/123?keyword=proceso+de+nixtamalizacion+del+maiz+pdf In PDF document text
    • https://cdn-cms.f-static.net/uploads/4365591/normal_5f89808de3bc1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371240/normal_5f8c8298c908a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366964/normal_5f874e7b484ce.pdfIn PDF document text
    • https://xujaxivef.weebly.com/uploads/1/3/1/4/131438557/jogojogil.pdfIn PDF document text
    • https://milavigik.weebly.com/uploads/1/3/2/8/132815866/nunuguwofulo-nemakinaxuzul.pdfIn PDF document text
    • https://bogadisosupotaj.weebly.com/uploads/1/3/0/7/130776541/8701999.pdfIn PDF document text
    • https://lotagixowila.weebly.com/uploads/1/3/1/1/131164100/tigugek.pdfIn PDF document text
    • https://sifizebutu.weebly.com/uploads/1/3/0/8/130814914/e4af047f77ac1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370063/normal_5f8a431334273.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368501/normal_5f8b05808d46d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367007/normal_5f89bf8264b5b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365525/normal_5f870bddb3caf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367944/normal_5f89b6c918e15.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/9aec80c1-6ce6-4306-a8fe-3ead6119a1ad/duxij.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3ebb6eff-6349-43b6-ab7f-92ed54c847ae/melaxipedarezotaretuxewur.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4bb58ca2-39d6-457a-83d8-f05198014f06/64903099122.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/5978/1023/files/appropriate_prepositions_with_examples.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/2358/7736/files/vumuzilida.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0492/2844/7900/files/singing_game_apps_for_android.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0493/5198/3263/files/the_broken_eye_chapter_summary.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/1825/5516/files/shear_strength_of_soil_nptel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b6aae12-dc5a-416e-8205-f60944953e28/lomajenivulodu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cb40c6ca-7fb4-42c1-b2a2-4dff38bdd8da/vopemogu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9be25414-fdaa-4a08-8fdd-531fc281a295/busizefivodusigo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e4290d20-77b3-4e2e-bea3-c5601de5eb03/floyd_warshall_algorithm_example_step_by_step.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000075b2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x75B2 5420 bytes
SHA-256: 925f445fb0445577bc961e0c59b70dbe53a6fe8a27e74551109025fc42d37a8c
font_01_sfnt_off0000880b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x880B 10768 bytes
SHA-256: 4effb0e68628073ad856b9721e970bec0354f8fe050022e27d9c6fb882241215

Open this report in the interactive analyzer, or submit your own file for analysis.