Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3e8ddcf7017890b…

MALICIOUS

PDF

52.9 KB Created: 2020-10-30 13:06:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 6416c7d81f59329ff6d9ee7ac6b0c945 SHA-1: 2e12559f0314e212656c6ebcc7f39bcf91dad276 SHA-256: f3e8ddcf7017890b0495b067cbd4dbc0045d5b2422949af9481ecec16d1c92e5
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The embedded URL 'https://ttraff.link/pify?keyword=beauty+queens+pdf' is the primary indicator of malicious intent. While no scripts were explicitly extracted, the nature of PDF redirects often involves embedded JavaScript to trigger the redirection, hence the inclusion of T1059.007.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=beauty+queens+pdf In PDF document text
    • https://cdn-cms.f-static.net/uploads/4382966/normal_5f8ec47c96d2c.pdfIn PDF document text
    • https://sakuvida.weebly.com/uploads/1/3/0/7/130775714/fapobojeje-zalidusak.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379973/normal_5f9419720f0d9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387224/normal_5f99b2e22b797.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4402262/normal_5f9bdf89ef02a.pdfIn PDF document text
    • https://gomemetunugup.weebly.com/uploads/1/3/2/7/132712315/divevijapitarow_sulemavaxez_peleves.pdfIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/jimugivos/what_is_jute_backing.pdfIn PDF document text
    • https://s3.amazonaws.com/zepifudoxapo/napunamaxeniziliji.pdfIn PDF document text
    • https://s3.amazonaws.com/wopari/alcohol_phenol_and_ether_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/10653c66-e120-4a39-9104-f097c361733d/whirligig_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2b893715-1212-4d7d-9ccc-09e84df94917/likoxidolotexolamezo.pdfIn PDF document text
    • https://s3.amazonaws.com/subud/momitakera.pdfIn PDF document text
    • https://s3.amazonaws.com/jasadavebaga/pdf_to_word_online_converter_zamzar.pdfIn PDF document text
    • https://s3.amazonaws.com/xanebavifamopez/rirawoxe.pdfIn PDF document text
    • https://s3.amazonaws.com/pivetuzadujo/black_ops_2_player_count_xbox_one.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000629d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x629D 14144 bytes
SHA-256: d5f3a19e1db9a22c711f4da6897f8cb5ebe659f46bae3f5397a85918efec22a4
font_00_sfnt_off000050e0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50E0 5184 bytes
SHA-256: 3dac2f29b2074097268ded0af276a24100e2ca5ac155dc72833ea614ddd68832
font_02_sfnt_off00008a95.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8A95 10768 bytes
SHA-256: 81b9aa64178bed597b1c0c91a0454cdc6622ee65a8301a492fec34c31b0ddeb2
font_03_sfnt_off0000af81.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAF81 16092 bytes
SHA-256: e9fe716c2abc985b12a899a49d5539e4e8be1b56d50c083b30290d85a2a7c848

Open this report in the interactive analyzer, or submit your own file for analysis.