Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4fbce62d612ef44…

MALICIOUS

PDF

41.4 KB Created: 2020-09-18 03:01:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3848fdb2e96be5d71bf637fb01bd37c3 SHA-1: 740873e5d66f3bf6deebc7803c30b7f70f1c8390 SHA-256: c4fbce62d612ef44c57ea818bd293ffd218f31f0a2923d2b5940b1ce1e8e7adf
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file contains a large number of embedded links, many of which point to external PDF files, suggesting a link farm for SEO manipulation. One prominent URL, 'https://ttraff.me/wix?keyword=gruber%2527s+complete+sat+guide+2016+pdf+free+download', is identified as a malicious redirector. The document body, though partially corrupted, also contains this URL and appears to be a lure for a free study guide download. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=gruber%2527s+complete+sat+guide+2016+pdf+free+download
    • http://files.labcharter-pto.com/uploads/1/3/1/0/131070618/disukufanekulagenu.pdf
    • http://zuzidoju.peorialawyers.com/uploads/1/3/1/6/131637291/b6666e6d0.pdf
    • https://33622fd9-9927-409e-b05c-e39a3e1fc0e0.filesusr.com/ugd/c2bf0a_376faa04ca4a4714bc8945994724404d.pdf?index=true
    • https://6962e2f7-d2d4-48e9-b3d5-83374304ecdb.filesusr.com/ugd/7598fa_8575fbf68cde4d64a797e1fe65fbc627.pdf?index=true
    • https://ab76bb8e-5376-4aba-9b6c-a19db7fcf785.filesusr.com/ugd/fa6f14_7fb49ea635d046f79b01a9d6b670accc.pdf?index=true
    • https://dd6b9eb5-0d4f-491b-a21c-4f83b718ae48.filesusr.com/ugd/e1d12c_4355264dd3a344c796f45269e1001443.pdf?index=true
    • https://daca4ad4-9579-4422-904d-aa9619c10d70.filesusr.com/ugd/f523c3_ce45d0214ee34900a9c84a5adb61614a.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0428/9173/9295/files/dagudipi.pdf
    • https://cdn.shopify.com/s/files/1/0441/4029/8392/files/94834163946.pdf
    • https://cdn.shopify.com/s/files/1/0428/4976/3487/files/79176303346.pdf
    • https://cdn.shopify.com/s/files/1/0432/3013/4427/files/wind_waker_dolphin_download.pdf
    • https://10ce5b73-14cb-444f-b34a-761785de69b9.filesusr.com/ugd/a8ca0f_02d9ee1cea18436a93d59cb43bafe523.pdf?index=true
    • https://cd4378b1-5855-43ca-8d1d-194bef221ac9.filesusr.com/ugd/564d2e_621b18eddae949fdafada69c939417ff.pdf?index=true
    • https://9c05afd2-1a8b-43f5-adf8-0587100365ff.filesusr.com/ugd/b463f2_8bf53c5d9c8b4613a31019dbfdb534de.pdf?index=true
    • https://e69964f7-7360-4454-85c8-1e873203f53e.filesusr.com/ugd/0d089b_7998adb0e29d46f6ad624709fdf3abfc.pdf?index=true
    • https://b599b9bc-8496-4c3b-a2c9-bb66900c905f.filesusr.com/ugd/19103d_5d68d588da54460cb1097a721ed5d24a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005230.bin
56d2d3c967565c453738ae8e39bd957063f584366ecde15e7342294095098ab8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5230 6136 bytes
font_01_sfnt_off00006718.bin
3c433e246ecc33a3aaa11764a8ff3e09ba9ce2e7f2aaca2ca6830b454acf9dc1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6718 10296 bytes
font_02_sfnt_off00008a65.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A65 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.