Malicious PDF — malware analysis report

Static analysis result for SHA-256 02845277c9e5d740…

MALICIOUS

PDF

84.1 KB Created: 2020-08-07 22:20:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a69755f83977693139be66ae6cea8d05 SHA-1: 56b5756bff77f491bad494223b1a4b18e73fe7b9 SHA-256: 02845277c9e5d740bf9bdfaf37dff7231faead9478c0d621cd53f0d19e08f4e2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with a critical heuristic firing indicating redirection to known malicious infrastructure via 'ttraff.com'. The document body, though heavily obfuscated, contains references to the malicious URL and other PDF files hosted on Shopify. This suggests an attempt to direct users to potentially harmful content, likely as part of a phishing or scam campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=define+housing+pdf
    • http://files.mogullifeinc.com/uploads/1/3/1/3/131383892/fonen.pdf
    • http://files.amandagrahamlpc.com/uploads/1/3/0/8/130815026/vefinozevefenajekeji.pdf
    • http://files.virtuallibrary.info/uploads/1/3/0/7/130775675/vovifoxa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://www.opentle.org
    • https://cdn.shopify.com/s/files/1/0438/2598/7734/files/lafomemo.pdf
    • https://cdn.shopify.com/s/files/1/0434/0137/9996/files/bezijobebomuxifigefuge.pdf
    • https://cdn.shopify.com/s/files/1/0440/1741/8405/files/prompton_state_park_map.pdf
    • https://cdn.shopify.com/s/files/1/0430/8484/1124/files/14233582907.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/dedijadexurusefux.pdf
    • https://cdn.shopify.com/s/files/1/0433/3980/8922/files/90413825216.pdf
    • https://cdn.shopify.com/s/files/1/0447/1144/4634/files/bisection_method_derivation.pdf
    • https://cdn.shopify.com/s/files/1/0435/4693/5451/files/kujogubop.pdf
    • https://cdn.shopify.com/s/files/1/0436/5543/0302/files/rajudu.pdf
    • https://cdn.shopify.com/s/files/1/0432/7289/6672/files/kirijafatotuzam.pdf
    • https://cdn.shopify.com/s/files/1/0431/4061/2262/files/94698448108.pdf
    • https://cdn.shopify.com/s/files/1/0433/6245/1611/files/advanced_inorganic_chemistry_lecture_notes.pdf
    • https://cdn.shopify.com/s/files/1/0439/4090/5128/files/queen_bohemian_rhapsody_notes.pdf
    • https://cdn.shopify.com/s/files/1/0432/1984/5277/files/amana_ptac_service_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off000116ba.bin
9a53eb0f5d899206140142024e1329928d04523b9b037af6ea44b3d64dff0b7c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x116BA 18176 bytes
font_00_sfnt_off00007f93.bin
d9df6945b54372b4ce1b038b385752c5e534dd56f39eb70cfae60a2504a527db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F93 5684 bytes
font_01_sfnt_off0000936f.bin
e8460fc70a297df58472331d9ee4481aa5ff59477b48fa113731784b3d56e899		 pdf-font-stream PDF embedded font (sfnt) at offset 0x936F 4964 bytes
font_02_sfnt_off0000a462.bin
dbaab8dcf32bfe64cb008f34eb54f5316f62236e8dffe3de49b44225404383a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA462 2656 bytes
font_03_sfnt_off0000af66.bin
864cbe2c6973b44d2b71e19ffbffb2328dcb3759b07ceb43c11d5a372fc4956d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF66 2328 bytes
font_04_sfnt_off0000ba1c.bin
d117309382da938f7dffedc42f90dd4217b4d540d75629b80669d975ecbc171e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBA1C 2108 bytes
font_05_sfnt_off0000c3e8.bin
d3dc3c1cb0bbe779b8a272bcda9fbc940a9c9c0c1939556fcdbc8a989f0c9d08		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC3E8 10420 bytes
font_06_sfnt_off0000e13c.bin
f653e2cffa139e346373a214593a71d57df7ae5d47440b264cff8802f94451f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE13C 18352 bytes
font_08_sfnt_off00013386.bin
c12c670e310cd2dd0f4b1ea6ea0d01ef35e1284caa1cfc967b978b02bd897c09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13386 3276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.