Malicious PDF — malware analysis report

Static analysis result for SHA-256 c70f12fce605950a…

MALICIOUS

PDF

43.9 KB Created: 2020-09-17 03:09:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ee79be6bb165096f6ebd7e51966549fd SHA-1: 4438132a2182fdf1c4925fb661392f73f37c7ec2 SHA-256: c70f12fce605950af2f7c8bcb735bb937e7e15f7a1d59f451eee6511a72dca2d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK indicating a link to known malicious infrastructure. The document body, though heavily obfuscated, contains text that appears to be a product manual lure, and the URL https://ttraff.me/wix?keyword=garden+tower+2+manual is presented as a direct link. The presence of a large number of external PDF links also suggests a link farm for SEO poisoning or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=garden+tower+2+manual
    • http://sefod.animalecologylab.org/uploads/1/3/1/6/131606346/1147446.pdf
    • http://files.newkensingtonpsumetz.com/uploads/1/3/1/0/131070192/036a7ac3a.pdf
    • http://savado.radiantbio.com/uploads/1/3/0/7/130775443/3986660.pdf
    • http://sabupo.talaldaoud.com/uploads/1/3/0/7/130775997/vuzogaxekawep_xutinutetulim_lejerarinilomaz.pdf
    • http://dasis.northernhighbands.com/uploads/1/3/1/6/131607240/xirujezer.pdf
    • http://firokudeg.gobuzzs.com/uploads/1/3/1/4/131483065/daxad.pdf
    • http://files.grumpypuppybarkery.com/uploads/1/3/2/6/132681885/f72e1fd17515.pdf
    • http://sujos.njoutdooradventures.com/uploads/1/3/1/1/131164557/5490415.pdf
    • http://files.biblereadingmarathon.org/uploads/1/3/1/6/131636903/vufotuwufog_tizowijis.pdf
    • http://files.archbaltapym.org/uploads/1/3/1/4/131406893/fefadeluzawisit-somafita-kudunobage.pdf
    • https://72ad440b-1fdd-4bc9-b155-20d15eec5815.filesusr.com/ugd/3d0627_e5e730218eeb4715bfa7760efc26ec1e.pdf?index=true
    • https://42ec5663-240c-4b83-acab-11e6d20a5381.filesusr.com/ugd/163759_3eda1c072a7e4b8e90adb32330032a40.pdf?index=true
    • https://8c433e74-5577-4412-ad28-18eef42192a0.filesusr.com/ugd/158fb9_4e417fc978e84c4bab67967118d5a0b8.pdf?index=true
    • https://dddcc9b3-528b-4ccd-82ee-92b3bf51e37a.filesusr.com/ugd/d7d6cd_bf56019035724bed93c220e0cd34fd42.pdf?index=true
    • https://35bc3911-8a6c-4bd1-9c19-579bcec55fdc.filesusr.com/ugd/98e2de_13bcd588b02a4a6d9d938ae896b68b8e.pdf?index=true
    • https://0863ad40-6f13-4ec5-80a6-9107ec4a9860.filesusr.com/ugd/3e7897_5752fb965c7144a09fe8ecd9527835ab.pdf?index=true
    • https://cdf7f12e-43bd-4f91-8237-00bc649d5073.filesusr.com/ugd/7d1dc9_958bc4da000d46109fb84903fb084e94.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005803.bin
9b8b8403d7239b6a8d1c1287c207e7bbf3f2a33a9294abd5956404ccf01484a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5803 5048 bytes
font_01_sfnt_off00006920.bin
35ac1eef0e48a1bdff1b06119c9b5ed5c115a1a0b85b515f0502d49d325d3954		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6920 7168 bytes
font_02_sfnt_off00007cae.bin
ca1557b6c4e582f52c1b703db099aa9b59c7b8fdae4835aeb8577bc37a1fdfad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CAE 11100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.