Malicious PDF — malware analysis report

Static analysis result for SHA-256 c20b12bb2d940bec…

MALICIOUS

PDF

52.5 KB Created: 2020-07-11 22:23:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: 99f83258c5b037bf675be80d0bb3dcb0 SHA-1: dbd1c79ebe14cd534702c80281725051558b97eb SHA-256: c20b12bb2d940bec8c2d0017de5da76d78e08668c26b202852a37195cd7c4499
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains multiple embedded links, including a critical redirector link to 'ttraff.cc', which is flagged as malicious. The document's content appears to be a lure, disguised with text related to hygiene management, to entice users to click these links. The presence of a large number of external PDF links suggests a link farm or SEO poisoning tactic, likely to distribute further malicious content or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=nmx-f-605-normex-2004+manejo+higi%25C3%25A9nico+en+el In PDF document text
    • http://files.soseijudo.com/uploads/1/3/0/9/130969298/d6c7db03e64638.pdfIn PDF document text
    • http://files.comicidal.net/uploads/1/3/1/1/131163953/fozumatejozap-makuwizoreri-kisajivig-ruwejagavimoge.pdfIn PDF document text
    • http://files.pdxprays.com/uploads/1/3/1/3/131383018/wikixawasagi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://susozunax.files.wordpress.com/2020/06/50774685593.pdfIn PDF document text
    • https://remokizob.files.wordpress.com/2020/07/noxituxataxikidenub.pdfIn PDF document text
    • https://rexuwupipipa.files.wordpress.com/2020/07/xupipikaxop.pdfIn PDF document text
    • https://kobumep.files.wordpress.com/2020/06/defebowanamudajad.pdfIn PDF document text
    • https://ramokewunema.files.wordpress.com/2020/06/vexigij.pdfIn PDF document text
    • https://zovimefifu.files.wordpress.com/2020/07/35007334771.pdfIn PDF document text
    • https://fosapab.files.wordpress.com/2020/06/nawamaduboni.pdfIn PDF document text
    • https://kozaxijewob.files.wordpress.com/2020/07/60581946530.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/5196/6873/files/64089807921.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/83300066175.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0427/7580/6119/files/69376061992.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/1058/0899/files/57653647584.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tadigepulimo.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/0697/5382/files/zewukofo.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0430/0128/2711/files/13802298832.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009751.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9751 5752 bytes
SHA-256: bb8ea51349d433bdd3ba524cf0bc4956df61d848b9fe906abf771eecbb75ee3d
font_01_sfnt_off0000aa82.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAA82 13488 bytes
SHA-256: a656bd422ac097a584e17b3dd1ea28775d0dd5592ca86127a9d4a2e03d119014