Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee3a3ff0f2ff82af…

MALICIOUS

PDF

37.8 KB Created: 2020-10-31 09:56:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cde44a62ef726a7b67404974ef8bdea6 SHA-1: 17339d7414ec2904a235b521b8515567096b1b18 SHA-256: ee3a3ff0f2ff82af611c2e786e800a3d1f2a34994a98d09a17e6271066f28818
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to known malicious redirector infrastructure, specifically 'https://ttraff.club/123?keyword=kakashi+and+naruto+vs+deidara'. This indicates the document is designed to lure users to malicious sites. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the presence of embedded URLs and the critical heuristic firing strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/123?keyword=kakashi+and+naruto+vs+deidara
    • https://guwomenod.weebly.com/uploads/1/3/0/8/130873843/tiladejonu.pdf
    • https://natufebopod.weebly.com/uploads/1/3/4/3/134305275/xokapar.pdf
    • https://cdn-cms.f-static.net/uploads/4380694/normal_5f8b9ec4c062b.pdf
    • https://kagizorofom.weebly.com/uploads/1/3/4/4/134476017/wazime_lomiziziginoban_fevadavuzip_wowijek.pdf
    • https://cdn-cms.f-static.net/uploads/4381532/normal_5f8daf2c3cc1e.pdf
    • https://cdn-cms.f-static.net/uploads/4368746/normal_5f9159ca43976.pdf
    • https://jusujonolixutuw.weebly.com/uploads/1/3/1/3/131379247/lovalivivu.pdf
    • https://dutitujazekap.weebly.com/uploads/1/3/0/8/130814390/tamobugok.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0428/2250/0518/files/daikin_ac_manual_brc1d52.pdf
    • https://cdn.shopify.com/s/files/1/0268/8122/8982/files/81270959720.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ad1.bin
f5cf9d1f2d4db224b5db2b5df9190fd11f1b282ae12750aabc305fe71bb3e3d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AD1 3752 bytes
font_01_sfnt_off0000582b.bin
c6c525b0fc9dff916ba3d1e6946c005b9f5d72b61650567c2ab80cca9e67be70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x582B 4972 bytes
font_02_sfnt_off00006911.bin
f3ce65eb3e93928898a0bb2ab43a785d0f2c1e6ab8d8e5673f6ce12b5d6ed3e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6911 9948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.