Malicious PDF — malware analysis report

Static analysis result for SHA-256 de3e9b7f545f07dc…

MALICIOUS

PDF

47.4 KB Created: 2020-11-05 10:46:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 06fcf8753336290c1c462009cc2ed2e6 SHA-1: e018f9b5e9510cc54bf8879a6269d946c3c92fce SHA-256: de3e9b7f545f07dc67dae677334ee6810628a13af2fceb432069937c309dc166
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple heuristics indicating it is a malicious redirector and part of an SEO link farm. It embeds links to known malicious infrastructure, specifically 'ttraff.com', which is flagged as a redirector. The document body, though heavily obfuscated, contains references to the same malicious URLs found in the heuristics, suggesting an intent to direct users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/123?keyword=crain+hyundai+north+little+rock+arkansas In PDF document text
    • https://gitijekukojijot.weebly.com/uploads/1/3/4/6/134626905/xirepewebibaxawafuxe.pdfIn PDF document text
    • https://mogezisatizate.weebly.com/uploads/1/3/0/7/130775403/a6fd1d.pdfIn PDF document text
    • https://rigafefabapamum.weebly.com/uploads/1/3/4/4/134486683/06f7ac97a6.pdfIn PDF document text
    • https://rajomiluti.weebly.com/uploads/1/3/2/6/132682989/vuzufuxefobit-tenoliv.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/felasorarabipis/95631071610.pdfIn PDF document text
    • https://s3.amazonaws.com/panalipolifod/60006516505.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/749dc4ba-b914-4770-acc0-2d92d4dcf8ba/wasupusidilebiveru.pdfIn PDF document text
    • https://s3.amazonaws.com/jutenojamega/eighth_amendment_and_bail.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/270f5ca5-7cae-49a7-b99e-3986d56b1f69/the_song_of_achilles_ebook.pdfIn PDF document text
    • https://s3.amazonaws.com/zirojopemup/guia_ceneval_exani_ii_2018.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8f4724ac-ecb8-4cde-8c6c-076030981877/maths_study_guide_grade_12.pdfIn PDF document text
    • https://s3.amazonaws.com/juzalizuvar/56853940570.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8bc7b83c-db57-45aa-90ac-93b444b10b51/bdo_failstack_guide_reddit.pdfIn PDF document text
    • https://s3.amazonaws.com/kakekojezutok/united_767_300_seat_map.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000717a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x717A 5100 bytes
SHA-256: 357e3bc40068a8ea7fd37282523b593b9b8ab507beacd5a1a366c2120644a7ec
font_01_sfnt_off000082cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x82CC 14448 bytes
SHA-256: fcafede5cd829c328d3071c4b20bc614437dd000486ed6a49ff086284155425b